Stock Market Intelligence
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agenthc-market-intelligence Version: 2.4.0 The skill bundle provides a legitimate interface for a market intelligence API (api.traderhc.com). The included shell scripts (agenthc.sh and setup.sh) contain appropriate input sanitization to prevent injection attacks and follow standard practices for API registration and data retrieval without any evidence of malicious intent, data exfiltration, or persistence mechanisms.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the key may be able to use the associated market-data account, consume quotas, or access paid entitlements if enabled.
The setup flow intentionally displays a newly issued provider API key; this is expected for configuration, but the key grants service access and may be captured in terminal or CI logs.
echo "Registered! Your API key: $API_KEY"
Use a dedicated API key for this skill, avoid exposing it in logs or shared shell history, and rotate or revoke it if it may have been shared.
If used, market-alert data will be sent to the configured webhook or Discord destination, and the subscription may continue until managed through the service.
The skill documents configuring the provider to send real-time alert callbacks to a webhook URL; this is purpose-aligned but creates an external message flow that should be under the user's control.
curl -s -X POST "https://api.traderhc.com/api/v1/alerts/subscribe" ... -d '{"type": "market_events", "callback_url": "https://your-agent.com/webhook"}'Only use webhook URLs you control, confirm the destination before subscribing, and review how to disable or rotate alert subscriptions.
Users have less provenance context for who maintains the skill beyond the listed homepage and owner metadata.
The registry metadata does not identify a source repository or package origin, which is a provenance gap even though the provided local scripts are visible and coherent.
Source: unknown
Review the included scripts before running them and verify that api.traderhc.com is the intended provider.