ClawAudit verdict

wendian-markethot-skill

wendian-stock-skill

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Stock market data analytics skill using the Wendian Starmap API with a user-supplied API key; network_out and credential_access are for the declared financial data provider.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

55
security
50
transparency
70
maintenance

Permission integrity

Makes network requests but does not declare curl/wget in required binaries

network_out

Findings (2)

Pattern match critical

Possible hardcoded credential

SKILL.md · code · APIKEY="your_api_key_here

Coarse signal — prose, single-step high

Instruction-prose smuggling shape detected: collects a sensitive target ("API Key") and emits it outward ("POST"). Phrased as prose with no trigger tokens — a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.

SKILL.md · 1. **Register** a free account at [https://markethot.wendian.net](https://markethot.wendian.net) to receive a complimentary API quota. 2. **Obtain** your API Ke

Permissions & capabilities

No declared permissions — minimal attack surface.

network_outcredential_access

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API