Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Portfolio Manager
v1.0.1Intelligent portfolio management for crypto, stocks, and forex. Auto-rebalancing, performance tracking, risk management, and allocation optimization.
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README and SKILL.md advertise multi-exchange support and 'auto-rebalancing' that implies execution on exchanges. The code and tests provided operate locally and simulate prices/trades; there is no visible network/exchange API integration, no dependencies for exchange SDKs, and package.json has no modules. This is a functional mismatch: users are shown examples that pass exchange API keys/secrets, but the shipped implementation does not appear to actually call exchange APIs — at least in the visible code.
Instruction Scope
SKILL.md instructs users to add exchange credentials (apiKey/apiSecret) and wallet addresses in examples and describes executing rebalances that 'execute trades'. The runtime instructions do not ask the agent to read unrelated files or system config. However the docs also include direct payment/contact instructions (WeChat/Telegram private message) and pricing for a paid 'pro' auto-rebalancing tier; combined with the mismatch above, this could induce users to hand over credentials or payment expecting live trading.
Install Mechanism
No install spec is present (instruction-only install via clawhub or manual npm) and package.json has no external dependencies and no remote download/install steps. Nothing in the install mechanism involves third-party URLs or archive extraction — low install risk.
Credentials
Registry metadata lists no required env vars, and the code only optionally reads process.env.PORTFOLIO_API_KEY. The SKILL.md examples show passing exchange API keys/secrets and wallet addresses directly when adding exchanges/wallets. That is reasonable for a portfolio tool but because the code appears to simulate rather than integrate with exchanges, asking for keys in examples may be misleading. If you supply real exchange credentials, avoid granting withdrawal permissions; prefer read-only API keys.
Persistence & Privilege
The skill does not request always:true, does not modify system-wide configs, and does not declare required config paths. It appears to run with normal, non-persistent privileges.
What to consider before installing
This package claims to offer live multi-exchange auto-rebalancing and executing trades, but the included code and tests appear to simulate prices and trades locally and do not show implemented exchange API calls. Before installing or providing any API keys or paying for 'pro' services: 1) Review the full index.js to confirm whether exchange integrations (and network calls) actually exist and whether they require API keys with trading or withdrawal privileges. 2) If you test, only use read-only API keys (no withdrawal rights) or sandbox/test accounts. 3) Ask the publisher for a clear description of which features perform live trades versus simulations and for audit logs/URLs of exchange integrations. 4) Be cautious about following payment/contact instructions in the README — prefer official support channels. If you need, request the author to document exactly how and where credentials are used, and to add explicit warnings about required API key scopes.index.js:18
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970fw3gh8jh67g5hzs4etgsc183gsxr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💼 Clawdis