Stock Market Intelligence
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a transparent market-data API helper, with expected API-key setup and optional webhooks or paid features that users should control.
Before installing, confirm you trust the TraderHC API service, use a dedicated AGENTHC_API_KEY, keep the key out of logs, and require explicit approval for premium endpoints, Lightning payments, or webhook alert subscriptions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the key may be able to use the associated market-data account, consume quotas, or access paid entitlements if enabled.
The setup flow intentionally displays a newly issued provider API key; this is expected for configuration, but the key grants service access and may be captured in terminal or CI logs.
echo "Registered! Your API key: $API_KEY"
Use a dedicated API key for this skill, avoid exposing it in logs or shared shell history, and rotate or revoke it if it may have been shared.
If used, market-alert data will be sent to the configured webhook or Discord destination, and the subscription may continue until managed through the service.
The skill documents configuring the provider to send real-time alert callbacks to a webhook URL; this is purpose-aligned but creates an external message flow that should be under the user's control.
curl -s -X POST "https://api.traderhc.com/api/v1/alerts/subscribe" ... -d '{"type": "market_events", "callback_url": "https://your-agent.com/webhook"}'Only use webhook URLs you control, confirm the destination before subscribing, and review how to disable or rotate alert subscriptions.
Users have less provenance context for who maintains the skill beyond the listed homepage and owner metadata.
The registry metadata does not identify a source repository or package origin, which is a provenance gap even though the provided local scripts are visible and coherent.
Source: unknown
Review the included scripts before running them and verify that api.traderhc.com is the intended provider.