← Back to Skills Marketplace
Tradekix
by
jamesjohnfox
· GitHub ↗
· v1.0.0
1043
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install tradekix
Description
Query financial market data via the Tradekix API — stock prices, crypto, forex, indices, market news, earnings, economic events, Congressional trades, and social sentiment. Use when the user asks about markets, stock prices, trading data, economic calendars, or financial news. Also handles API key signup and upgrade to Pro.
Usage Guidance
This skill appears to be a straightforward client for tradekix.ai, but before installing consider: 1) Signup will POST agent_name and email to https://www.tradekix.ai/api/v1/connect — don't provide a real personal email or sensitive identifying info if you don't trust the service. 2) The signup flow echoes the API response to stdout (including the returned api_key) — that can leak the key into logs or agent conversation history; treat those outputs as sensitive. 3) The skill stores the API key at ~/.config/tradekix/config.json (chmod 600) — if you share the machine or backups, consider the privacy implications. 4) The registry metadata lacks a homepage/source URL; if you need higher assurance, verify the tradekix.ai service and its owner before use. If you proceed, consider using a throwaway email for signup, inspect network calls in a controlled environment first, and delete the stored key when you no longer need it.
Capability Analysis
Type: OpenClaw Skill
Name: tradekix
Version: 1.0.0
The `scripts/tradekix.sh` file contains a significant shell injection vulnerability. Arguments passed to the script, such as `symbols` for the `prices` command or `name`/`email` for `signup`, are directly embedded into `curl` commands or JSON payloads without proper sanitization. This allows for arbitrary command execution (RCE) if a malicious prompt instructs the AI agent to provide crafted input (e.g., `AAPL,TSLA,BTC$(rm -rf /)` as a symbol). While the script's stated purpose is benign, this critical vulnerability makes it suspicious, as it could be exploited by a malicious actor to compromise the host system.
Capability Assessment
Purpose & Capability
Name/description match the included wrapper script and API docs. The script implements signup, price/market endpoints, upgrade, and revoke, which align with the stated purpose. No unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and the script operate only against the tradekix.ai API and the local config file (~/.config/tradekix/config.json). They instruct the agent to sign up (POST /connect) and store the returned API key locally. This is within scope, but the automatic signup will transmit an agent name and email to an external service, and the script echoes the full API response to stdout (which may include the API key), potentially leaking secrets into logs/conversation history.
Install Mechanism
No install spec; the skill is instruction-only with an included Bash wrapper. Nothing is downloaded from third-party URLs or written outside the skill's own config directory, so install risk is low.
Credentials
The skill declares no required environment variables or credentials, which matches behavior. However it writes and reads ~/.config/tradekix/config.json (the registry metadata did not declare any required config paths) — a minor metadata inconsistency. Also, automatic signup sends an email and agent name to the external service and stores the returned API key locally; consider whether you want to expose that email/name and API key to the third party.
Persistence & Privilege
The script persists the API key under the user's home (~/.config/tradekix/config.json) and sets file permissions to 600. The skill does not request always: true and does not modify other skills or global agent settings. Persistence is limited to the skill's own config directory, which is expected behavior for an API client.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tradekix - After installation, invoke the skill by name or use
/tradekix - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: financial market data API for AI agents
Metadata
Frequently Asked Questions
What is Tradekix?
Query financial market data via the Tradekix API — stock prices, crypto, forex, indices, market news, earnings, economic events, Congressional trades, and social sentiment. Use when the user asks about markets, stock prices, trading data, economic calendars, or financial news. Also handles API key signup and upgrade to Pro. It is an AI Agent Skill for Claude Code / OpenClaw, with 1043 downloads so far.
How do I install Tradekix?
Run "/install tradekix" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tradekix free?
Yes, Tradekix is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tradekix support?
Tradekix is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tradekix?
It is built and maintained by jamesjohnfox (@jamesjohnfox); the current version is v1.0.0.
More Skills