datatk-quote-skill Security Report — Trusted | ClawSafe

0 /100

datatk-quote-skill

Real-time stock market data via QuoteNode API. Query quotes, K-lines, tick trades, Level-2 depth, and trading calendars for US/HK/CN markets.

The datatk-quote-skill is a legitimate market-data API wrapper with no malicious behavior, strong security controls, and accurate documentation.

Skill Namedatatk-quote-skill

Duration32.3s

Enginepi

✓

Safe to install

This skill is safe to use. The script enforces HTTPS, domain allowlisting, and path validation. No action required.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access in scripts/request.mjs
Network	`READ`	`READ`	✓ Aligned	Only POST requests to configured API endpoint with X-API-KEY header; HTTPS enfor…
Shell	`NONE`	`NONE`	—	No shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

2 findings

🔗

Medium External URL 外部 URL

https://www.datatk.com/service

SKILL.md:44

🔗

Medium External URL 外部 URL

https://your-endpoint.com

env.example.json:2

File Tree

7 files · 22.6 KB · 763 lines

Markdown 5f · 576L JavaScript 1f · 184L JSON 1f · 3L

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 42L · 2.1 KB

│ ├─ 📝 openapi.md Markdown 162L · 4.3 KB

│ ├─ 📝 reference.md Markdown 135L · 2.9 KB

│ └─ 📝 response.md Markdown 191L · 6.3 KB

├─ ▾ 📁 scripts

│ └─ 📜 request.mjs JavaScript 184L · 4.7 KB

├─ 📋 env.example.json JSON 3L · 78 B

└─ 📝 SKILL.md Markdown 46L · 2.1 KB

✓ HTTPS-only enforcement in assertSafeEndpoint() prevents plaintext exfiltration

✓ Domain allowlist restricts network calls to quote.datatk.com, www.datatk.com, and *.datatk.com subdomains

✓ Raw IP endpoints are explicitly blocked as an anti-exfiltration measure

✓ Path traversal protection via .. check in assertSafePath()

✓ Path must start with /Api/ — prevents arbitrary endpoint access

✓ API key and endpoint read from local env.json only — no environment variable harvesting

✓ Placeholder value detection prevents accidental use of unconfigured credentials

✓ All documentation files (openapi.md, reference.md, response.md, architecture.md) accurately describe the API surface with no hidden functionality

✓ No shell execution, no obfuscation, no credential exfiltration

✓ Clean dependency footprint — no external package dependencies (uses only Node.js built-ins: fs/promises, path, url)