ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Portfolio Tracker Pro

v1.0.0

Real-time cryptocurrency portfolio tracking and analysis. Monitors multiple wallets and exchanges, calculates P&L, tracks performance metrics, and provides a...

0· 127·0 current·0 all-time
by@dagangtj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise multi-platform portfolio aggregation (Binance, Coinbase, wallet tracking), real-time updates, alerts, and report generation. The included code does not implement those integrations: track_portfolio.js uses a hard-coded PORTFOLIO constant and only queries CoinGecko; it does not read references/config.json, does not call exchange or blockchain explorer APIs, and does not accept wallet addresses. SKILL.md also documents a generate_report.js command that is not present. These mismatches mean the skill does not deliver the claimed capabilities and may mislead users about what data it needs.
!
Instruction Scope
SKILL.md instructs users to configure references/config.json (which contains API key placeholders) and to run scripts including generate_report.js (missing). However, the runnable scripts do not read or use that config.json (track_portfolio uses an internal PORTFOLIO) and set_alert writes to references/alerts.json. The instructions are therefore out-of-sync with the actual runtime behavior, granting the agent vague authority ('use when you need to monitor wallets/exchanges') that the code does not exercise.
Install Mechanism
No install spec and no external downloads — instruction-only plus two small JS scripts. No archives, no third-party package installs, and no unusual install behavior identified.
Credentials
The skill requires no environment variables and no primary credential. references/config.json contains placeholders for exchange API keys and Telegram SMTP settings (empty by default). That by itself is not malicious, but because the README suggests exchange/wallet integration while the code doesn't use those keys, a user could be misled into supplying sensitive keys later (or in a future version of the skill).
Persistence & Privilege
The skill does not request elevated or persistent platform privileges (always:false). It will create/write references/alerts.json when set_alert.js runs, which is normal for a local alerts store.
What to consider before installing
This skill is inconsistent: its description promises multi-exchange/wallet aggregation and a report script, but the included scripts are simple local tools (a static portfolio tracker hitting CoinGecko and an alert writer) and a generate_report.js referenced in the docs is missing. Before installing or running: 1) Inspect scripts yourself (you already have them) — they do not exfiltrate data or contact unknown endpoints; track_portfolio.js only queries api.coingecko.com. 2) Do not paste real API keys into references/config.json or run the skill in a context with secrets until you confirm the code actually needs and safely handles them. 3) Note that set_alert.js will create references/alerts.json in the repo — check file permissions and content. 4) Ask the publisher for source/homepage and a complete release (missing generate_report.js and no homepage). 5) If you intend to enable exchange or wallet integrations, prefer running the code in a sandboxed environment and store keys in a secure secret manager rather than plaintext config files. If you want, I can point out the exact lines that would need changing to read config.json or to add exchange/wallet support.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9pmkkrfmqxs7dqdct2a0ts835x3q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments