Enables agents to interact with the eToro API to access market data, portfolio and social features, and execute trades programmatically. Supports both OAuth...
Security Analysis
high confidenceThe skill's instructions, required inputs, and behavior are consistent with a client for the eToro API (including both OAuth and API-key flows); nothing in the SKILL.md asks for unrelated system access or installs arbitrary code.
The name/description (eToro trading client) matches the instructions: API base URL, auth flows (OAuth and API keys), headers, endpoints for demo vs real trading, and examples for placing orders. There are no unrelated environment variables, binaries, or install steps requested that would be unexpected for a trading integration.
SKILL.md focuses on calling eToro endpoints and handling tokens/keys. It does reference ctx.accessToken / ctx.apiKey / ctx.userKey (runtime context variables) and says keys are requested from the user at install — the registry metadata lists no required env vars, so keys are expected to be provided interactively at runtime rather than via declared env variables. This is reasonable, but you should confirm how the agent will prompt for and store those credentials. There is a minor technical mix of PKCE flow + sending client_secret in the token exchange that may be a small inaccuracy in the documentation (not a security indicator by itself).
No install spec and no code files — instruction-only skill. That minimizes the risk of arbitrary code being written to disk or executed during install.
The skill does not declare any required env vars but explicitly requires sensitive credentials at runtime (OAuth access_token or API keys/user key). That is proportional for a trading integration. Because the skill can execute trades, granting it these credentials is high-impact; ensure you only supply demo (virtual) keys for testing and limit permissions (read vs write) as appropriate.
always:false and no install steps writing persistent binaries/configs. The skill is allowed to be invoked autonomously by the agent (default). Given its ability to execute trades, you should consider restricting autonomous execution or requiring explicit user confirmation before any real trade operations.
Guidance
This SKILL.md appears to be a straightforward eToro API integration and does not request unrelated system access. However, it will need either your OAuth access token or API keys/user key to function — these are powerful credentials that can place real trades. Before installing: - Verify the skill source/owner (confirm you trust kn730v2... and the homepage) and prefer the official eToro portal and OAuth flow. - Test in the demo/virtual environment first (use demo endpoints and demo User Keys). - If you provide API keys, give the minimum permissions (read only) until you need write/trade capabilities; rotate/revoke keys after testing. - Decide whether the agent should be allowed to call this skill autonomously; consider requiring explicit user confirmation for any real trade execution. - Confirm how credentials will be collected and stored by the agent (don’t paste keys into untrusted channels).
Latest Release
v1.0.0
Initial release — eToro API integration skill. - Enables programmatic access to the eToro API for market data, portfolio management, social features, and trade execution. - Supports both OAuth SSO and manual API key authentication methods. - Provides guidance on API request conventions, authentication headers, and environment selection (demo vs real). - Includes quick start examples for searching instruments and placing trades. - Documents the most common endpoints for market data retrieval and trading operations.
More by @marian2js
Published by @marian2js on ClawHub
