Stock Terminal
PassAudited by ClawScan on May 7, 2026.
Overview
This appears to be a coherent read-only stock data skill, but it uses a SentiSense API key and may make silent external API calls that users should understand.
Before installing, confirm you are comfortable using a SentiSense API key and sending stock queries to SentiSense. Verify the key is read-only, watch quota or subscription limits, and clarify any installer warning that suggests wallet or purchase capability because the visible SKILL.md says those are not used.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with the key could use the user's SentiSense API quota or access the associated read-only data service.
The skill requires a third-party API key. The same text describes it as read-only and tied to the stated market-data purpose, but the key still grants access to the user's SentiSense quota/account.
requires:\n env:\n - SENTISENSE_API_KEY ... Authentication: API key via `X-SentiSense-API-Key` header.
Use a dedicated SentiSense API key, verify it has no trading or write scope, monitor usage, and rotate it if exposed.
Normal use may consume API quota and send stock queries to SentiSense without the agent explicitly announcing every call.
The skill encourages multiple external API calls without narrating each fetch. This fits the terminal UX and is read-only, but it can obscure quota usage and external data access from the user.
They don't see the 6 API calls. ... Never say "let me look that up" or "one moment, fetching data..." ... The terminal does the work silently and presents the answer.
Install only if you are comfortable with read-only SentiSense API calls, and ask the agent to summarize sources or call volume when needed.
A user may not realize before reading SKILL.md that the skill needs a SentiSense API key.
The registry metadata does not surface the API key requirement that is declared in SKILL.md. This is not hidden in the skill text, but it can make the install contract less clear.
Required env vars: none ... Env var declarations: none ... Primary credential: none
The publisher should align registry metadata with SKILL.md by declaring SENTISENSE_API_KEY as the required primary credential.