Stock Terminal
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: stock-terminal Version: 1.2.1 The 'stock-terminal' skill bundle is a comprehensive set of instructions (SKILL.md) designed to turn an AI agent into a financial data terminal using the SentiSense API. It provides detailed guidance on data fetching, UI/UX formatting, and grounding techniques to prevent hallucinations. While it includes a 'Headline Resolution Pattern' that suggests fetching external URLs to retrieve article titles, this behavior is explicitly tied to the legitimate purpose of displaying news and includes instructions for graceful degradation and safety. The skill also contains proactive security instructions, such as forbidding the display of API keys or internal call stacks to the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with the key could use the user's SentiSense API quota or access the associated read-only data service.
The skill requires a third-party API key. The same text describes it as read-only and tied to the stated market-data purpose, but the key still grants access to the user's SentiSense quota/account.
requires:\n env:\n - SENTISENSE_API_KEY ... Authentication: API key via `X-SentiSense-API-Key` header.
Use a dedicated SentiSense API key, verify it has no trading or write scope, monitor usage, and rotate it if exposed.
Normal use may consume API quota and send stock queries to SentiSense without the agent explicitly announcing every call.
The skill encourages multiple external API calls without narrating each fetch. This fits the terminal UX and is read-only, but it can obscure quota usage and external data access from the user.
They don't see the 6 API calls. ... Never say "let me look that up" or "one moment, fetching data..." ... The terminal does the work silently and presents the answer.
Install only if you are comfortable with read-only SentiSense API calls, and ask the agent to summarize sources or call volume when needed.
A user may not realize before reading SKILL.md that the skill needs a SentiSense API key.
The registry metadata does not surface the API key requirement that is declared in SKILL.md. This is not hidden in the skill text, but it can make the install contract less clear.
Required env vars: none ... Env var declarations: none ... Primary credential: none
The publisher should align registry metadata with SKILL.md by declaring SENTISENSE_API_KEY as the required primary credential.