tradingview-api-integration

Fail

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions in SKILL.md include a command to download an updated OpenAPI 3.0 specification from https://www.tradingviewapi.com/openapi.json to the local references/ directory. This file is intended to serve as a machine-readable reference for endpoint schemas used by the agent during operation.
  • [COMMAND_EXECUTION]: The skill utilizes a local Python helper script, scripts/tv_api.py, and various shell commands to perform API calls and parse JSON data. The script uses standard libraries and is limited to making network requests to the designated API host and managing local configuration.
  • [DATA_EXFILTRATION]: The skill handles an API key (x-rapidapi-key) provided by the user. The helper script correctly sends this key only to the designated host tradingview-data1.p.rapidapi.com. It includes a secure storage mechanism that saves the key locally in .rapidapi-key with restricted file permissions (chmod 600), and only does so after receiving explicit user consent.
  • [SAFE]: Automated scanner flags for 'malicious URLs' and 'infected files' were evaluated and found to be false positives. The URLs belong to the API service provider, and the detections likely refer to the large volume of HTTP request examples and data-processing logic, which are consistent with the skill's documented purpose.
Recommendations
  • HIGH: Downloads and executes remote code from: https://www.tradingviewapi.com/openapi.json - DO NOT USE without thorough review
  • CRITICAL: 2 infected file(s) detected - DO NOT USE
  • Contains 3 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 13, 2026, 05:58 PM
Security Audit — agent-trust-hub — tradingview-api-integration