tradingview-api-integration
Fail
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions in
SKILL.mdinclude a command to download an updated OpenAPI 3.0 specification fromhttps://www.tradingviewapi.com/openapi.jsonto the localreferences/directory. This file is intended to serve as a machine-readable reference for endpoint schemas used by the agent during operation. - [COMMAND_EXECUTION]: The skill utilizes a local Python helper script,
scripts/tv_api.py, and various shell commands to perform API calls and parse JSON data. The script uses standard libraries and is limited to making network requests to the designated API host and managing local configuration. - [DATA_EXFILTRATION]: The skill handles an API key (
x-rapidapi-key) provided by the user. The helper script correctly sends this key only to the designated hosttradingview-data1.p.rapidapi.com. It includes a secure storage mechanism that saves the key locally in.rapidapi-keywith restricted file permissions (chmod 600), and only does so after receiving explicit user consent. - [SAFE]: Automated scanner flags for 'malicious URLs' and 'infected files' were evaluated and found to be false positives. The URLs belong to the API service provider, and the detections likely refer to the large volume of HTTP request examples and data-processing logic, which are consistent with the skill's documented purpose.
Recommendations
- HIGH: Downloads and executes remote code from: https://www.tradingviewapi.com/openapi.json - DO NOT USE without thorough review
- CRITICAL: 2 infected file(s) detected - DO NOT USE
- Contains 3 malicious URL(s) - DO NOT USE
Audit Metadata