portfolio tracking
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a portfolio tracker, but users should review it carefully because its “all local/no server” privacy claims are overstated and it handles financial credentials in ways that can expose them locally.
Install only if you are comfortable with external market-data, exchange, broker, blockchain RPC, and AI-advice data flows. Use read-only exchange keys, disable trading/withdrawal permissions, secure `~/.portfolio-tracker/config.json`, and do not rely on the skill’s broad “no data sent to any server” wording.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe portfolio details, wallet addresses, API queries, or advice inputs never leave their computer, when several features necessarily contact third-party services or put financial details into the agent’s context.
The README makes an absolute no-server/local-only claim while also describing external provider sync and price lookups. That can mislead users about what data leaves the machine during normal use.
All data stays on your machine — no backend, no cloud, no account needed. ... Sync from **Binance**, **Interactive Brokers**, and **EVM blockchain wallets** ... Real-time prices from Binance, CoinGecko, and Yahoo Finance ... No data is sent to any server
Treat the local-only claim as applying only to storage, not all processing. The maintainer should explicitly list each external service and what data is sent before sync, price refresh, or advice.
Exchange or broker credentials could be exposed locally if command invocations are logged or visible to other processes/users on the machine.
The setup flow asks for financial account credentials, stores them locally, and instructs validation by placing full secrets in command-line arguments, which can appear in process listings, terminal logs, or agent command traces.
Ask for API Key and API Secret ... Validate via `npx tsx <skill-path>/scripts/binance-sync.ts validate <apiKey> <apiSecret>` ... API keys are stored locally in `~/.portfolio-tracker/config.json` ... Never log or display full API keys
Use read-only API keys with withdrawals/trading disabled, restrict keys by IP if possible, set `chmod 600 ~/.portfolio-tracker/config.json`, and prefer passing secrets via stdin or a protected config file rather than command-line arguments.
Using `/advise` may expose detailed holdings, age, cash flow, risk tolerance, and investment goals to the AI session.
The advice command intentionally loads persisted portfolio and user-profile data and uses it in the model prompt. This is purpose-aligned, but it is sensitive financial context.
Run `npx tsx <skill-path>/scripts/data-store.ts load` ... `load-config` to get user profile ... Prepare the portfolio summary ... Current Portfolio ... {portfolioSummary}Run `/advise` only if you are comfortable sharing that financial context with the agent, and avoid storing profile details you do not need.
It is harder to independently verify the publisher, upstream repository, or maintenance history before running the scripts.
The registry metadata provides limited provenance for a skill that includes executable TypeScript scripts and npm dependencies.
Source: unknown; Homepage: none
Inspect the included scripts and package files before use, and install only if you trust the publisher and dependency set.