Is 0xjordansg-yolo/openclaw-aisa-financial-stock-crypto-market-price-data safe?
This skill is a clean financial market data API wrapper with no malicious indicators. It bundles well-structured API documentation and a standard-library Python client that only communicates with the declared api.aisa.one endpoint. No prompt injection, data exfiltration, suspicious clone behavior, or canary tampering was detected.
Category Scores
Findings (5)
LOW Executable Python API client included -15 ▶
The skill bundles a 350-line Python script (market_client.py) that the agent is instructed to execute. While the code is clean and uses only standard library modules, any executable code in a skill increases the attack surface. The script was thoroughly reviewed and contains no malicious patterns.
LOW API key transmitted to third-party endpoint -12 ▶
The skill requires the user to set AISA_API_KEY and transmits it as a Bearer token to api.aisa.one with every request. This is standard API client behavior but means the user's API key leaves the local machine to a third-party service.
INFO External API references in skill instructions -8 ▶
SKILL.md references api.aisa.one and aisa.mintlify.app as API endpoints. These are documented, legitimate endpoints for the skill's functionality, not instruction injection vectors.
INFO API responses may contain untrusted text content -10 ▶
News articles and company data returned by the API contain third-party text that could theoretically include prompt injection attempts. This is an inherent risk of any data-fetching skill and not specific to this implementation.
INFO Pay-per-call API with cost accumulation risk -8 ▶
The API uses a pay-as-you-go model ($0.0005-$0.002 per call). An agent using this skill autonomously could accumulate charges, though individual call costs are very low.