qutedance-quotes
PassAudited by ClawScan on May 10, 2026.
Overview
The skill coherently performs market quote lookups through a disclosed Qutedance API, but it can use a Qutedance API key that should be handled carefully.
This looks safe for its stated purpose if you trust the Qutedance service endpoint. Before installing, confirm that sending requested symbols/searches to https://quotedance.api.gapgap.cc is acceptable, and configure any API key carefully—prefer an environment variable or a limited key rather than storing a real secret in the skill files.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you configure an API key, the skill will use it when contacting the Qutedance quote service.
The script can read a Qutedance API key from config or the environment and send it as an authentication header to the configured service. This is purpose-aligned for a protected quote API, but it is still credential handling.
const API_KEY = CONFIG.apiKey || process.env.QUTEDANCE_API_KEY || ''; ... headers['X-API-Key'] = API_KEY;
Use a limited-scope key if available, avoid committing real keys in config.json, and prefer environment-based secret management.