Enables agents to interact with the eToro API to access market data, portfolio and social features, and execute trades programmatically.
Security Analysis
high confidenceThe SKILL.md expects user API keys and supports executing real trades, but the skill's declared metadata does not list any required credentials or environment variables — that's an inconsistency you should resolve before trusting it with real funds.
The skill's stated purpose (interact with eToro, including executing trades) matches the SKILL.md content. However, the registry metadata declares no required credentials or primary credential, while the runtime instructions clearly require a Public API Key and a User Key (with Real vs Demo environments). This mismatch is unexpected for a trading integration and reduces transparency about what sensitive inputs the skill will request.
The SKILL.md stays within the scope of an eToro API client (detailed endpoints, headers, casing rules, demo vs real endpoints, and example requests). It explicitly documents how to perform live trading and demo trading. It does not instruct the agent to read unrelated files or system state. The notable point: it tells the agent to 'request keys from the user on install' (i.e., prompt for secrets) even though those secrets aren't declared in the registry metadata.
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer, which is lower risk from an install perspective.
The runtime instructions require sensitive credentials (Public API Key and User Key) and environment selection (Real vs Virtual) to operate — reasonable for the stated purpose — but the skill metadata lists no required env vars or primary credential. That lack of declared secrets is disproportionate to the documented runtime needs and may hide what the agent will ask the user to provide.
The skill is not marked always:true and defaults allow model invocation (normal behavior). There is no indication the skill will modify other skills or request persistent system-wide privileges.
Guidance
This skill's documentation shows it will ask you for an eToro Public API Key and a User Key and can execute real trades — but the registry metadata didn't declare any required credentials. Before installing: (1) confirm the skill's origin (source is listed as unknown despite an eToro homepage link); (2) demand that the publisher declare required credentials in the metadata; (3) for testing only give a demo/virtual User Key with limited permissions (prefer Read-only or demo keys); (4) do not provide real trading keys unless you fully trust the skill and its publisher and you are prepared for the agent to place orders; (5) prefer explicit prompts/consent before any real-trade API call and check logs/confirmations. If the publisher cannot justify why credentials are omitted from metadata, treat the skill as untrusted.
Latest Release
v1.0.0
Initial release of the etoro-api skill, providing programmatic access to eToro's trading and market data API. - Enables agents to access eToro market data, portfolio information, and social features. - Supports executing trades, including buy/sell orders, using demo or real accounts. - Includes detailed authentication and key management instructions. - Covers endpoints for searching instruments, managing watchlists, and retrieving trading history. - Provides request conventions, parameter casing, and guidelines for using both demo and real environments.
More by @marian2js
Published by @marian2js on ClawHub
