OpenMM Portfolio
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears aimed at legitimate portfolio viewing, but it needs review because it asks for cryptocurrency exchange secrets and allows broad OpenMM CLI use without a clear read-only boundary.
Only install this if you trust the OpenMM npm package and are comfortable connecting exchange accounts. Use read-only API keys, disable withdrawals and trading unless intentionally needed, configure only necessary exchanges, and require explicit approval before any action beyond viewing balances, open orders, or market data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If over-permissioned exchange keys are configured, the agent or underlying CLI may have access beyond merely viewing balances and orders.
The skill requires private cryptocurrency exchange credentials, including secrets and passphrases, but does not state that keys should be read-only or restricted from trading/withdrawals.
MEXC_API_KEY=your-mexc-api-key ... MEXC_SECRET=your-mexc-secret ... BITGET_SECRET=your-bitget-secret ... KRAKEN_SECRET=your-kraken-secret
Use only read-only API keys where possible, disable withdrawals and trading unless explicitly needed, configure only the exchanges you intend to query, and rotate keys if exposed.
A broad CLI allowance could let the agent use OpenMM functionality outside the stated portfolio-viewing workflow if such subcommands exist.
The skill allows the agent to run any `openmm` CLI command, not just the documented read-only balance, order-listing, and market-data commands.
allowed-tools: Read, Glob, Grep, Bash(openmm:*)
Install only if you are comfortable with the agent invoking OpenMM. Prefer a narrower tool allowlist or explicit instructions requiring user confirmation before any trade, order cancellation, account mutation, or non-view operation.
This wording may lead an agent or user to treat the skill as part of trading workflows, despite no explicit trade-safety boundary in the instructions.
The tips mention trading and minimum order values even though the skill description focuses on portfolio viewing and market data.
Check balances before trading ... Respect minimum order values — MEXC/Gate.io/Bitget: 1 USDT, Kraken: 5 EUR/USD
Treat this skill as read-only unless you explicitly ask for trading-related actions and have reviewed the permissions on your exchange API keys.
The static scan could not review the OpenMM package code, so users must trust that external package with their configured exchange credentials.
The executable behavior comes from an external npm package rather than code included in the skill artifacts; the registry also lists the source as unknown and no homepage.
node | package: @3rd-eye-labs/openmm | creates binaries: openmm
Verify the npm package provenance, version, maintainer, and documentation before installing, especially because it will handle exchange credentials.
Your holdings and open orders may become visible to the agent session and any systems that log or store model/tool outputs.
The skill retrieves private balance and open-order data into command output that the agent may parse or include in conversation context.
openmm balance --exchange mexc --json ... openmm orders list --exchange kraken --limit 5
Query only the accounts and assets needed, avoid sharing outputs unnecessarily, and do not paste or store sensitive portfolio data outside trusted contexts.