ClawHub

portfolio tracking

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate portfolio tracker, but it needs review because it handles financial credentials while overstating that everything stays local.

Install only if you are comfortable with online calls to financial, market-data, brokerage, blockchain RPC, and AI-session contexts. Use read-only API keys with withdrawals and trading disabled, protect ~/.portfolio-tracker/config.json with restrictive permissions, avoid shared machines, and review sync results because account sync may overwrite or remove local portfolio records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares itself as entirely local and does not disclose permissions, yet the documented behavior clearly requires network access and handling of sensitive configuration data. This creates a misleading trust boundary: users may provide API keys, wallet addresses, and portfolio data believing nothing leaves the machine, when the skill can initiate outbound requests to multiple third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially contradicts the description that the tracker runs entirely locally and keeps all data local. In practice, the skill fetches remote prices, validates and syncs brokerage credentials, and queries wallet balances over the network, which can expose sensitive financial metadata and credentials to external providers or intermediaries.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The claim that the skill runs entirely locally is contradicted by explicit support for external fetch and sync operations. This is dangerous because users may rely on the promise of local-only processing when deciding to enter exchange credentials, brokerage tokens, and wallet identifiers, resulting in uninformed disclosure of sensitive financial information.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation states that all data stays local, but the listed commands necessarily transmit portfolio-related queries, wallet addresses, and potentially credentials to external services. That mismatch can cause users to expose highly sensitive financial data under false assumptions about confidentiality and data residency.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill advertises that data stays locally, but it also instructs the agent to collect additional sensitive personal financial profile data and save it for future use without clearly surfacing that persistence at the point of collection. This creates a transparency and consent problem: users may reasonably expect only portfolio records to be stored, not age, risk tolerance, goals, cash flow, and drawdown preferences.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The command explicitly invokes external price and FX fetch operations, which contradicts the skill metadata claim that all data stays in ~/.portfolio-tracker/. Even if only asset symbols are sent, this still discloses portfolio-related information to external services and creates a trust and privacy mismatch for users expecting fully local operation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The setup flow contradicts the claim that all data stays local by explicitly validating exchange credentials and wallet addresses through external scripts that necessarily contact third-party services. This is dangerous because users may rely on the local-only privacy promise and unknowingly transmit sensitive financial metadata or credentials off-host during setup.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Passing API secrets as command-line arguments exposes them to local process listings, shell history, crash reports, and other monitoring tools, which directly contradicts the claim that keys are never displayed in full. Any local user, debugging utility, or endpoint telemetry agent may capture the secret, leading to compromise of exchange accounts.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file description and skill metadata state that data stays in ~/.portfolio-tracker, yet the documented setup performs external validation of wallet and exchange information. This mismatch creates a privacy and trust vulnerability because users may disclose credentials and financial identifiers under false assumptions about locality and data handling.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file hardcodes external Binance API endpoints and performs live network requests, which directly contradicts the stated claim that the portfolio tracker runs entirely locally and keeps all data under ~/.portfolio-tracker/. This mismatch is security-relevant because users may trust the local-only claim and provide sensitive exchange credentials without realizing the skill transmits them to third-party services.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises that the portfolio tracker runs entirely locally and keeps data under ~/.portfolio-tracker/, but the configured chain definitions hard-code public RPC endpoints for Ethereum-compatible networks. This causes wallet addresses and query activity to be sent to third-party services, creating a clear privacy and trust-boundary violation relative to the stated behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The fetch logic instantiates JsonRpcProvider objects against third-party RPC URLs and performs live balance queries, which contradicts the claimed local-only purpose of the skill. Even if no funds can be moved, this still exposes sensitive portfolio-linked metadata and creates dependency on external infrastructure not disclosed by the skill context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata explicitly claims the portfolio tracker runs entirely locally and keeps all data under ~/.portfolio-tracker/, but this file makes multiple outbound requests to Binance, CoinGecko, and Yahoo endpoints for prices, FX rates, historical data, and symbol search. Even if only symbols or search terms are sent, this leaks portfolio interests and user queries to third parties and violates the stated trust boundary, making the behavior security-relevant rather than a harmless implementation detail.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata states the tracker runs entirely locally and keeps all data under ~/.portfolio-tracker/, but this code makes outbound requests to Interactive Brokers and transmits user-supplied token/query identifiers to a third-party service. That mismatch is security-relevant because users may trust the local-only claim and provide sensitive brokerage credentials under false assumptions about data flow and exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup stores sensitive API credentials in a local config file, but the documentation does not prominently warn users about this or describe protections for the file. Local storage of exchange and brokerage credentials increases the risk of credential theft through weak filesystem permissions, backups, logs, or other local compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command collects sensitive financial-planning data such as age, investable cash flow, investment goals, and acceptable drawdown, then saves it to config for future use, but does not require a clear storage warning or consent step. Even though storage is local, this is still sensitive personal data whose persistence can surprise users and increase privacy risk on shared or compromised systems.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The command overwrites stored pricing fields, exchange rates, and refresh timestamps without any warning, preview, or confirmation. In a portfolio tracker this can silently modify persisted financial data, making it harder for users to detect unwanted changes, recover prior values, or distinguish local records from externally refreshed data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The validation commands place exchange credentials directly in process arguments without warning users about process-list, shell-history, or endpoint logging leakage. Even on a local-only tool, this is a common secret-handling weakness that can expose long-lived API credentials to other local observers or system instrumentation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The command explicitly removes previously synced Binance assets that no longer appear in the exchange account, but the user-facing description does not warn about this destructive reconciliation behavior. This can cause silent data loss in the local portfolio if the exchange API returns incomplete data, the wrong account is selected, or the user does not realize sync is authoritative rather than additive.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The command explicitly removes assets no longer present in IBKR and updates existing IBKR-linked holdings, but the user-facing workflow does not require confirmation, preview changes, or warn about destructive effects. If the Flex Query is incomplete, misconfigured, or temporarily returns partial data, legitimate assets can be deleted or overwritten in the local portfolio, causing data loss and misleading portfolio state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command performs destructive state changes by updating stored portfolio data and removing wallet assets no longer present, but the user-facing description does not warn about those mutations before execution. This can cause unintended data loss or confusion, especially if RPC failures, token filtering, chain misconfiguration, or partial syncs make legitimate assets appear absent and therefore removable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI accepts the Binance API key and secret as positional command-line arguments, which can expose secrets through shell history, process listings, audit logs, crash reports, or other local monitoring tools. Even though the skill is intended for local use, financial API credentials are highly sensitive and this handling unnecessarily increases the risk of credential disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The wallet address provided by the user is transmitted to third-party RPC providers through getBalance and ERC20 balanceOf calls without any explicit warning or consent mechanism. This can deanonymize users, reveal chain interest and portfolio composition patterns, and undermine the expectation that all data remains local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends sensitive IBKR access parameters in URL query strings during fetch requests, without any evident user-facing disclosure or confirmation. Even though HTTPS is used, query-string credentials are more likely to be exposed through logs, proxies, browser/history equivalents, crash reports, or upstream instrumentation, increasing the chance of credential leakage.

External Transmission

Medium
Category
Data Exfiltration
Content
// Attempt 1: Binance
  try {
    const url = `https://api.binance.com/api/v3/ticker/price?symbol=${baseSymbol}USDT`;
    const response = await fetch(url);
    if (response.ok) {
      const data = await response.json();
Confidence
90% confidence
Finding
https://api.binance.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal