ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

eToro Trading API

v1.0.0

eToro Public API — full trading, market data, social, and watchlist integration. Supports SSO, Bearer, and API key auth.

0· 367·0 current·0 all-time
byYoni@yoniassia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, listed endpoints, and required binaries (curl, python3) are consistent with a simple instruction-only HTTP API integrator. However, the skill documents multiple auth modes (SSO/Bearer/API keys) but declares no required environment variables or 'primary credential', which is incomplete for a trading integration that must authenticate.
!
Instruction Scope
SKILL.md stays focused on API endpoints and authentication, but it contains two risky operational details: trading defaults to mode=real (so actions are live unless explicitly switched) and 'All trading execution is logged with full request details before sending' — that logging could capture and expose sensitive tokens/keys unless its destination and retention are controlled. The instructions do not indicate how credentials are supplied or protected.
Install Mechanism
Instruction-only skill with no install spec and only a dependency on common binaries (curl, python3). This is low-risk from an install/extraction perspective.
!
Credentials
The SKILL.md requires auth (Bearer, SSO, x-api-key/x-user-key) in practice, but requires.env is empty and no primary credential is declared. That mismatch is notable: the skill will need secrets at runtime but provides no guidance about secure provision, storage, or which vars the agent will read. Combined with the stated detailed logging, this increases risk of inadvertent credential exposure.
Persistence & Privilege
always:false and no required config paths or installation steps modifying agent/system configuration. The skill does not request persistent or global privileges.
What to consider before installing
This skill exposes live trading endpoints and lists several authentication modes but does not declare how credentials are provided or protected. Before installing or invoking it: (1) verify the API base URL and official documentation—this package has no homepage/source link; (2) never run trading actions without explicitly switching to demo mode until you have validated requests; (3) avoid pasting secrets into free-text prompts—use a secure credential input mechanism and confirm where logs are written; (4) ask the publisher to declare required env vars (or a secure auth flow) and to remove or clarify 'log full request details' so sensitive headers are not stored or transmitted; (5) if you proceed, test only with demo accounts and carefully audit any logs to ensure API keys/tokens are not being captured or sent to external endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk979m4syj7sm9g7b8acgqhxwed8234r1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binscurl, python3

Comments