OpenMM Portfolio
v0.1.1Balance tracking, order overview, and market data across exchanges using OpenMM.
⭐ 0· 333·1 current·1 all-time
byAngelos Kappos@adacapo21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description and the declared required binary (openmm) and npm package (@3rd-eye-labs/openmm) align with a portfolio/market-data tool. However the registry metadata lists four required API_KEY environment variables (MEXC_API_KEY, GATEIO_API_KEY, BITGET_API_KEY, KRAKEN_API_KEY) while the SKILL.md says 'At least one exchange must be configured' — requiring all four keys in metadata is inconsistent with the stated requirement. This mismatch is unexplained and makes the declared requirements not proportional to the described purpose.
Instruction Scope
The runtime instructions are narrowly scoped to running the openmm CLI (balance, orders, ticker, orderbook, etc.), which is expected. But SKILL.md references additional environment variables that are not declared in metadata (e.g., MEXC_SECRET, MEXC_UID, GATEIO_SECRET, BITGET_SECRET, BITGET_PASSPHRASE, KRAKEN_SECRET) and says 'Credentials are set via environment variables and stored locally' without specifying where or how. The instructions therefore access/expect secrets beyond the declared required.env and leave vague storage behavior — both are red flags for credential handling and scope clarity.
Install Mechanism
Install is via an npm package (@3rd-eye-labs/openmm) that provides the openmm binary. This is a common, expected mechanism for providing a CLI. It's a moderate-risk install (third-party npm package); there is no direct download-from-URL or archive extract. You should verify the npm package's publisher, inspect its source, and confirm it does not perform unexpected network calls or write secrets to unexpected locations.
Credentials
Requesting exchange API keys is reasonable for a cross-exchange portfolio tool, but the metadata requires four API_KEY variables even though the instructions say only one exchange must be configured. Additionally, SKILL.md expects secrets and a passphrase for some exchanges but those are not declared in the required.env list. Requiring multiple unrelated credentials up-front (or declaring them as all required) is disproportionate and ambiguous; the skill also does not explain permission scope (read-only vs trading) or where credentials are stored.
Persistence & Privilege
The skill does not request always:true, does not list config paths, and does not claim to modify other skills or system-wide settings. Model invocation is allowed (default) which is normal for skills — this is not by itself a problem. The only persistence hint is SKILL.md's vague statement that credentials are "stored locally," which should be clarified before use.
What to consider before installing
This skill appears to be the openmm CLI wrapper it claims to be, but there are a few red flags you should address before installing or providing secrets:
- Metadata inconsistency: the registry lists all four exchange API_KEY variables as required, but the instructions say you only need to configure at least one exchange. Do not assume you must supply every key — verify whether keys are truly required and why metadata requires them.
- Undeclared secrets: SKILL.md shows additional environment variables (SECRETS and BITGET_PASSPHRASE) that are not declared in metadata. Ask where and how these are used and stored, and whether they are optional.
- Inspect the npm package: the skill installs @3rd-eye-labs/openmm to provide the binary. Before installing, check the package source on the npm registry or its repository to ensure it does not exfiltrate credentials, persist them insecurely, or perform unexpected network calls.
- Use least-privilege keys: supply read-only API keys with limited permissions (no trading/withdraw) and consider using exchange sub-accounts or IP whitelisting while testing.
- Ask for clarification: request the skill author to (a) correct required.env to include any required SECRETS/PASSPHRASE or state they are optional, (b) document exactly where credentials are stored and how they are protected, and (c) provide a link to the npm package source/repo for review.
If you cannot validate these points, avoid providing live API secrets or install in a production environment.Like a lobster shell, security has layers — review code before you run it.
latestvk977xgxhv6ha2h157zt4q2bj9181x3qbmarket-datavk9743qcx3q7had668pj8dxvxgd81twc2openmmvk9743qcx3q7had668pj8dxvxgd81twc2portfoliovk9743qcx3q7had668pj8dxvxgd81twc2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💼 Clawdis
Binsopenmm
EnvMEXC_API_KEY, GATEIO_API_KEY, BITGET_API_KEY, KRAKEN_API_KEY
Install
Node
Bins: openmm
npm i -g @3rd-eye-labs/openmm