ClawWatch
PassAudited by ClawScan on May 1, 2026.
Overview
ClawWatch appears purpose-aligned for market watchlists, but users should verify the external CLI package and be aware that watchlist data, optional API keys, and analysis data may be stored or shared.
Before installing, verify the `clawwatch` package source and version. Use the skill for explicit watchlist, alert, and price-check tasks; be careful with optional API keys and sensitive portfolio notes; and approve any handoff of watchlist JSON to a separate analysis agent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI would trust whatever package is resolved by the package manager.
The skill instructs installation of an external package without a pinned version or included reviewed implementation in the provided artifacts.
pip install clawwatch
Verify the package provenance, version, and maintainer before installing or running it.
A user or agent could run a local command that changes watchlist state or, if the command path is not trusted, executes unintended code.
The skill expects local command execution through Bash; if interpreted literally, `bash clawwatch` may execute a script/file named `clawwatch` rather than only the intended installed CLI.
Run commands via Bash tool: `bash clawwatch <command>`
Run only the trusted installed CLI, preferably as `clawwatch ...`, and confirm add/remove/alert actions before executing them.
Optional API keys may be stored in the tool configuration and should be treated as private.
The CLI can store optional market-data provider API keys, which is expected for rate limits or fallback data sources but still involves credential handling.
`--coincap-key` | Set CoinCap API key (optional) ... `--finnhub-key` | Set Finnhub API key
Use least-privilege/free-tier keys where possible and avoid sharing configuration output that may contain secrets.
Your investment interests or watchlist notes could be used as context in future responses.
The skill directs the agent to read persistent local watchlist/cache files, which may reveal tracked assets, tags, alerts, or notes.
`~/.clawwatch/latest.json` — Last fetched prices `~/.clawwatch/watchlist.json` — Full watchlist state
Avoid storing sensitive portfolio details in notes and periodically review or delete local `~/.clawwatch` data if needed.
Watchlist data may be shared outside this skill when the user asks for deeper analysis.
The skill explicitly allows handing watchlist/price JSON to another agent for analysis.
For deep analysis, pass the JSON data to market-analyst agent
Only allow inter-agent analysis when intended, and avoid including sensitive personal portfolio notes in data passed to other agents.