InvestmentTracker Platform
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its investment-tracking purpose, but it embeds live-looking API credentials and may print user credentials in logs.
Do not install or run this skill with real financial credentials until the embedded API key is removed and rotated, credential logging is fixed, and you have verified the provider endpoint. If you proceed, use your own read-only scoped API key and review the Python scripts before running them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is valid, users may accidentally use or expose someone else's financial-account credential, or all installs may share the same account access.
A live-looking InvestmentTracker API key is embedded directly in configuration examples for an investment account integration.
"Authorization": "Bearer it_live_...", "X-API-Key": "it_live_..."
Remove the embedded key from all artifacts, rotate it immediately, and require each user to provide their own scoped API key through a secure config or environment variable.
A user's API key could appear in terminal output, OpenClaw logs, or chat-visible debug output.
The code prints configured headers and part of the curl command; those headers can include Authorization or X-API-Key values.
print(f"Headers: {self.headers}") ... print(f"命令: {' '.join(cmd[:10])}...")Never print full headers or command lines containing secrets. Redact Authorization, X-API-Key, cookies, and tokens before logging.
The skill will execute local curl commands when fetching investment data, and command-line arguments may include sensitive headers.
The skill shells out to curl to call the MCP API. This is purpose-aligned, but raw command execution with configured URLs and headers deserves user awareness.
cmd = ['curl', '-s', '-N', '-X', 'POST'] ... subprocess.run(cmd, capture_output=True, text=True, timeout=30)
Prefer a native HTTP client with redacted logging, or ensure command construction is tightly controlled and secrets are not visible in process lists or logs.
Users have less provenance information for code that can be run locally and can access financial-account APIs.
The package has many runnable scripts but lacks a source/homepage and install specification in the provided metadata.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: 29 code file(s)
Review the included scripts before running them and prefer a published source repository, versioned release, and explicit runtime requirements.
Your investment-account requests and returned portfolio information depend on the external InvestmentTracker MCP service.
The skill connects to an external MCP endpoint using an API key to retrieve user identity and portfolio data.
"url": "https://claw.investtracker.ai/mcp", "Authorization": "Bearer YOUR_API_KEY"
Use only a trusted endpoint, verify the provider, and use a least-privilege API key intended for this integration.