Is jamesjohnfox/tradekix safe?

https://github.com/openclaw/skills/tree/main/skills/jamesjohnfox/tradekix

79
CAUTION

Tradekix is a financial market data API wrapper that presents no active prompt injection or malware. Its primary risks are privacy and trust: the skill auto-registers the agent's name and email with an unverified third-party service (tradekix.ai, operated by unknown author 'jamesjohnfox' at version 1.0.0), all financial queries are permanently logged by this unknown operator, and the upgrade flow returns payment URLs sourced from an untrusted server. No canary files were exfiltrated and install-time behavior was clean, but the ongoing account relationship with an unverified service creates material privacy and phishing exposure for users.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Auto-registration sends agent identity to unverified third party -20

The skill instructs the agent to automatically sign up for a tradekix.ai API key using the agent's name and the user's email address, with no explicit user confirmation step. This data is sent to an unverified external service (tradekix.ai) operated by an unknown party. The email is stored server-side by tradekix.ai and shown only once, creating an unauditable account relationship.

HIGH Unverified service with no reputation — all financial queries logged externally -30

tradekix.ai is an unverified financial data provider operated by 'jamesjohnfox' with no established reputation. All market data queries (prices, news, congressional trades, sentiment, economic events) are routed through this service, giving the operator a complete log of the agent's financial query patterns, timestamps, and API key usage. The service could be operated maliciously, shut down without notice, or sold to a different operator.

MEDIUM Canary credential files accessed during install period -10

Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed at two points: during VM session initialization (pre-install, attributed to PAM/sshd) and again post-install (timestamp 1771927161.134, process attribution unclear). Canary integrity check confirmed files were not modified or exfiltrated. Skill code does not reference these paths. Accesses are most likely from system background processes or the Oathe monitoring framework's canary verification scan.

MEDIUM Upgrade flow redirects to Stripe checkout URL from untrusted server -15

The 'upgrade' command calls POST /keys/upgrade on tradekix.ai and returns a data.checkout_url (Stripe checkout link). This URL is generated by the tradekix.ai operator and could be changed to point to a phishing page instead of legitimate Stripe at any time. The agent is expected to present this URL to the user for payment.

LOW Unexplained moltbook_id parameter in signup -10

The signup command and API accept an optional 'moltbook_id' parameter. This identifier is not explained in the skill description or documentation. It could serve as a cross-service account linking mechanism, affiliate tracking, or correlation ID. Its purpose is opaque.

LOW Shell script execution with inline Python -8

The skill includes a bash script that will be executed by the agent. The script uses Python3 inline execution for JSON config parsing. While this is expected behavior for a script-based skill and the config file path is hardcoded, shell script execution is an inherent code execution surface.

INFO Clean install — only expected GitHub connections -2

The skill was installed via sparse git checkout from the openclaw/skills monorepo on GitHub. Only GitHub IPs (140.82.113.4) were contacted during install. Ubuntu system update services were active as background noise. No unexpected processes were spawned and no filesystem changes occurred outside the skill directory.