test202603131551
v1.0.0Retrieve real-time commodity price quotes using Octagon MCP. Use when checking current commodity prices, analyzing day ranges, comparing to moving averages,...
⭐ 0· 178·0 current·0 all-time
by@wdm1136
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe retrieving real-time commodity quotes and all instructions call the Octagon MCP 'octagon-agent' and reference octagon data sources — this is consistent with the stated purpose. There are no unrelated credentials, binaries, or config paths requested by the skill itself.
Instruction Scope
SKILL.md instructs the agent to call the 'octagon-agent' via MCP with a simple natural-language prompt and to interpret returned quote fields. It does not ask the agent to read arbitrary files, access unrelated system state, or exfiltrate data. The only external interaction is with the Octagon MCP tool (as expected).
Install Mechanism
The skill is instruction-only (no install spec). Setup docs instruct users to install/run Octagon MCP via npx (npm), and to install Node/Homebrew if needed. Using npx downloads code at runtime (moderate risk) but those instructions are reasonable for enabling the Octagon MCP integration and use standard hosts (npm, GitHub).
Credentials
The manifest lists no required env vars, but the README and setup references instruct configuring an OCTAGON_API_KEY for the Octagon service. That API key is proportional and expected for this skill's function. The mismatch between the manifest (no env) and the docs (OCTAGON_API_KEY required to configure MCP) is a documentation inconsistency to be aware of.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows normal autonomous invocation (platform default), which is appropriate for a data-querying skill.
Assessment
This is an instruction-only skill that expects you to have Octagon MCP configured (the docs show how to run 'npx -y octagon-mcp' and set OCTAGON_API_KEY). Before enabling: (1) understand that you must provide an Octagon API key (the manifest didn't declare it, but the README/setup require it), (2) installing/running the MCP uses npx and will download/execute code from npm — only install if you trust Octagon, (3) review Octagon's privacy/terms to ensure you are comfortable sending queries to their service, and (4) no system files or unrelated credentials are requested by the skill itself. If you want stronger guarantees, request that the publisher add the OCTAGON_API_KEY requirement to the skill manifest so the platform can surface the credential need up front.Like a lobster shell, security has layers — review code before you run it.
latestvk971nqwkaxcrbvmfs03q4he3d582tnf8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.