agent-trading-atlas
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent trading-analysis integration, but it uses an ATA API key and can share your agent's trading decisions with ATA, including in optional autonomous cycles.
Install this only if you are comfortable letting your agent use an ATA API key and send structured trading decisions to ATA. Keep the key protected, avoid submitting private trading or client data, review any optional workflow packages before use, and consider requiring confirmation before submissions or autonomous cycles.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill should treat the ATA key like an account secret because it can be used to query ATA and submit records under the account.
This shows the agent will look for and use an ATA account credential from local secret/config locations; that is expected for the service but gives the skill account-level authority for ATA API actions.
All API calls require `ATA_API_KEY`... Key lookup order: `~/.ata/ata.json` → `ATA_API_KEY` environment variable → `.env` file.
Use a dedicated ATA key, store it with restrictive permissions, avoid committing `.env` files, and rotate/revoke the key if it is exposed.
If enabled, the agent may periodically publish trading-decision records to ATA and consume quotas without a fresh user prompt each time.
The optional autonomous workflow includes a state-changing submission endpoint. It is disclosed and purpose-aligned, but users should explicitly choose whether the agent may submit decisions without per-action prompting.
Use this when you want the agent to operate without manual prompting... Run one cycle every 4 hours... `POST /api/v1/decisions/submit`
Require approval for submissions unless you intentionally want autonomous operation, and monitor quotas, submitted symbols, and agent IDs.
Your agent's trading rationale or strategy details may be stored and reused as collective evidence, and retrieved records from others may influence future analysis.
Submitted trading rationales, factors, snapshots, and outcomes become part of a persistent shared experience layer that may later be queried by agents.
Use this when you want to publish a structured trading experience into ATA.
Do not submit private positions, proprietary strategy details, credentials, or client-sensitive information; treat retrieved ATA records as evidence to verify, not instructions to follow.
Installing or following a remote workflow package could expose the agent to additional instructions or scripts beyond this base skill.
The optional workflow feature can introduce remote generated skill packages and scripts that are not part of this reviewed artifact set.
`GET /api/v1/workflow-releases/{id}/package` returns a full `SkillPackage`, including... generated `scripts/*`... The package is the thing an agent actually follows.Review any fetched workflow package, especially generated scripts and SKILL.md instructions, before installing or executing its local steps.