Tradekix

Query financial market data via the Tradekix API — stock prices, crypto, forex, indices, market news, earnings, economic events, Congressional trades, and social sentiment. Use when the user asks about markets, stock prices, trading data, economic calendars, or financial news. Also handles API key signup and upgrade to Pro.

This skill appears to be a straightforward client for tradekix.ai, but before installing consider: 1) Signup will POST agent_name and email to https://www.tradekix.ai/api/v1/connect — don't provide a real personal email or sensitive identifying info if you don't trust the service. 2) The signup flow echoes the API response to stdout (including the returned api_key) — that can leak the key into logs or agent conversation history; treat those outputs as sensitive. 3) The skill stores the API key at ~/.config/tradekix/config.json (chmod 600) — if you share the machine or backups, consider the privacy implications. 4) The registry metadata lacks a homepage/source URL; if you need higher assurance, verify the tradekix.ai service and its owner before use. If you proceed, consider using a throwaway email for signup, inspect network calls in a controlled environment first, and delete the stored key when you no longer need it.

Type: OpenClaw Skill Name: tradekix Version: 1.0.0 The `scripts/tradekix.sh` file contains a significant shell injection vulnerability. Arguments passed to the script, such as `symbols` for the `prices` command or `name`/`email` for `signup`, are directly embedded into `curl` commands or JSON payloads without proper sanitization. This allows for arbitrary command execution (RCE) if a malicious prompt instructs the AI agent to provide crafted input (e.g., `AAPL,TSLA,BTC$(rm -rf /)` as a symbol). While the script's stated purpose is benign, this critical vulnerability makes it suspicious, as it could be exploited by a malicious actor to compromise the host system.