Back to plugin
Pluginv1.0.1
ClawScan security
Market · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:06 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The package and its runtime instructions are internally consistent for a market-data client that requires a single AISA_API_KEY and python3; nothing in the code or SKILL.md tries to access unrelated credentials or system files.
- Guidance
- This skill appears to be what it says: a market-data client that uses AISA_API_KEY to call api.aisa.one. Before installing, confirm you trust api.aisa.one and the publisher (check the GitHub repo/homepage). Treat the AISA_API_KEY like any API secret (use a least-privilege key if possible), and verify the platform will only expose that key to this plugin. Also double-check the registry/marketplace metadata (it should list AISA_API_KEY as required) — the package manifests do, but the registry summary in the prompt does not, which may indicate a packaging metadata mismatch you should confirm is resolved.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (market data for stocks & crypto) matches the code and SKILL.md: it calls https://api.aisa.one for prices, news, filings, etc. Requiring python3 and an AISA_API_KEY is appropriate for this purpose. One minor packaging inconsistency: the top-level registry summary in the prompt lists 'Required env vars: none', but the manifests and SKILL.md clearly require AISA_API_KEY.
- Instruction Scope
- okRuntime instructions and the Python client only reference the declared AISA_API_KEY, call the documented AIsa endpoints, and provide curl/CLI examples. The code does not read other environment variables, arbitrary files, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec (instruction-only + bundled scripts). The package ships a local Python script and manifests; nothing is downloaded from external or untrusted URLs during install. This is low-risk for installation mechanism.
- Credentials
- noteOnly one credential (AISA_API_KEY) is required and is explained in manifests and SKILL.md — that is proportionate. Note the registry-summary mismatch where required envs were listed as 'none' (likely packaging/metadata drift); you should verify the platform will prompt for the API key before usage.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent/system-wide settings or modify other skills. Autonomous invocation (default) is allowed but not combined with any broad or unexplained privileges.