ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Portfolio Risk Analyzer

v1.0.0

Analyze your portfolio to identify concentration risks, calculate Value at Risk, estimate drawdowns, beta, Sharpe ratio, income, run stress tests, and sugges...

0· 737·2 current·2 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the runtime instructions: the SKILL.md describes pricing lookups, VaR, drawdown, beta, Sharpe, stress tests and tax-loss scanning — all achievable as advisory calculations using web-scraped data. No unexpected credentials, binaries, or installs are requested.
Instruction Scope
Instructions are focused on computing risk metrics using user-provided portfolio data plus web searches for prices, volatility, beta, yields and the T‑bill rate. The skill does instruct the agent to 'record source and timestamp' for lookups. It also claims features like 'daily alerts', 'monitoring', and an 'automated scanner' which imply persistent/scheduled behavior that the instruction-only skill does not implement or request permissions for — this is a capability/marketing mismatch rather than an overt security problem. Be aware that using web search for prices means portfolio holdings are reflected in external search queries (potential information leakage).
Install Mechanism
No install spec and no code files are present; runtime is instruction-only so nothing is written to disk or downloaded. This reduces attack surface.
Credentials
The skill declares no environment variables, credentials, or config paths — consistent with its stated approach of web searches and local computation. There are no disproportionate credential requests.
Persistence & Privilege
always:false and default autonomous invocation are appropriate. The README and SKILL.md mention monitoring/alerts and automated scanning, but the skill does not request persistent presence or scheduling capabilities — the user should not assume the skill will autonomously run background tasks without additional infrastructure or credentials.
Assessment
This skill appears coherent: it uses the portfolio you provide and public web searches to compute risk metrics — no credentials or installs required. Before installing/using it, consider: (1) web-search lookups will cause your portfolio tickers/holdings to appear in search queries (possible information leakage); avoid submitting highly sensitive holdings if you are concerned. (2) The README's claims about 'daily alerts', 'monitoring', and 'automated scanners' are marketing — this instruction-only skill won't set up background jobs or act on your brokerage without extra services or credentials. (3) Web-scraped prices, betas and volatilities can vary by source; verify critical numbers before acting on trade or tax suggestions. If you want true automated monitoring or broker actions, expect to need additional, explicit integrations (and to grant only the minimum required credentials).

Like a lobster shell, security has layers — review code before you run it.

cryptovk9724z17j5njvjvman1nta84hh8169nsfinancevk9724z17j5njvjvman1nta84hh8169nsinvestingvk9724z17j5njvjvman1nta84hh8169nslatestvk9724z17j5njvjvman1nta84hh8169nsportfoliovk9724z17j5njvjvman1nta84hh8169nsriskvk9724z17j5njvjvman1nta84hh8169nsstocksvk9724z17j5njvjvman1nta84hh8169ns

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments