eToro Trading API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill describes live eToro trading access and defaults trades to real money without enough confirmation, scoping, or credential safeguards.
Only install this if you intentionally want an agent to access eToro trading functions. Use demo/read-only access first, keep credentials out of chat when possible, require explicit confirmation for every real trade or public post, and make sure all auth headers are redacted from logs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could place, close, or cancel real trades on the user's eToro account, potentially causing financial loss.
The skill guides the agent to live order creation and closing endpoints, and explicitly makes real-money trading the default. The artifact does not require explicit user approval, limits, or a demo/read-only default before financial actions.
`open_position_by_amount` | POST | `/trading/execution/market-open-orders/by-amount`; `close_position` | POST ...; `Trading tools default to `mode=real`. Only use demo if explicitly requested.`
Default to demo or read-only mode. Require explicit user confirmation for every real trade, including account mode, instrument ID, side, amount/units, order type, price, and risk limits.
If broad eToro credentials are given to the agent, they may enable more account access and trading authority than the user intended.
These are personal account credentials for an API that includes portfolio access and trading execution, but the artifacts do not define least-privilege scopes, safe storage, redaction, or a clear credential contract.
`SSO Access Token` — `Authorization: Bearer <access_token>` ... `API Keys` — `x-api-key` + `x-user-key` + `x-request-id`
Use the least-privileged credential available, prefer demo or read-only credentials when possible, avoid pasting tokens into chat, and clearly separate real-trading credentials from demo credentials.
Sensitive tokens, account details, or trading instructions could be exposed or retained if full requests are logged without redaction.
This appears intended for transparency, but the artifact does not say authentication headers or account/order details are redacted before being placed in logs or agent context.
`All trading execution is logged with full request details before sending.`
Log only non-sensitive order summaries and redact Authorization, x-api-key, x-user-key, account identifiers, and other secrets.