TickDB Real-time Market Data API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent market-data API helper that makes disclosed TickDB.ai requests and may use a TickDB API key, with no artifact evidence of hidden persistence, local file access, or destructive behavior.
This skill appears safe for its stated purpose of retrieving market data. Before installing, understand that it may call TickDB.ai automatically for market-data questions and may use a TickDB API key if you provide one; verify the service source before sharing a personal or paid key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your requested symbols or market-data parameters may be sent to TickDB.ai to return the requested prices or financial data.
The skill instructs the agent to automatically contact TickDB.ai and then call market-data APIs when the user asks for market data. This is aligned with the skill purpose, but users should know external API calls may occur.
每次用户触发行情查询且未提供正式 Key 时,AI 必须执行以下步骤:1. 调用 `GET https://tickdb.ai/api/public/claw-keys` ... 3. 使用该 Key 调用业务接口完成本次查询
Use the skill when you are comfortable sending market-data queries to TickDB.ai, and review any API responses before relying on them for financial decisions.
If you paste your TickDB API key into the conversation, the agent may use it for later TickDB requests during that conversation.
The skill may use a user-provided TickDB API key. The handling is disclosed and purpose-aligned, with explicit no-persistence guidance, but API keys are still sensitive credentials.
认证方式: API Key(放在 HTTP Header `X-API-Key` 中) ... 如果用户在对话中主动提供了自己的 API Key:1. 在本轮对话的后续请求中直接使用该 Key ... 2. Key 仅保留在对话上下文中,不写入任何文件
Only provide a TickDB API key if you trust the environment, avoid sharing unrelated credentials, and rotate the key if you believe it was exposed.
You have less registry-level assurance that the skill was published by the service operator it references.
The registry metadata does not identify a verified source or homepage, even though the skill directs users and agents to TickDB.ai services. This is a provenance gap rather than evidence of malicious behavior.
Source: unknown Homepage: none
Before using a paid or personal API key, verify the TickDB.ai domain and documentation independently.