Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto SAFE Portfolio Analyzer Pro
v1.0.1Safe cryptocurrency portfolio tracking and P&L analysis. Monitors portfolio value, calculates profit/loss with custom cost basis, tracks live prices via Coin...
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe portfolio tracking, P&L, and market scanning; the included Python and Node scripts call CoinGecko, Coinbase, and public sentiment APIs and produce reports/alerts — all consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run the included scripts, supply holdings/config JSON, and integrate with cron/Discord. The runtime instructions and commands stay within portfolio/reporting scope. Notes: examples reference child_process.exec for integrations (expected), and the skill will read local config files if present (./portfolio-config.json, ../references/config-example.json, or ~/.openclaw/...); this means it may load user-local configuration files if they exist.
Install Mechanism
No install spec is provided (instruction-only), which is low-risk. However the Python script imports the third-party 'requests' library and the Node script expects a local config.json — these runtime dependencies are not declared in SKILL.md/registry metadata, so users must install Python requests and have Node available manually. No network downloads or obscure external install URLs are present.
Credentials
The skill requests no environment variables, no credentials, and only calls public APIs (CoinGecko, Coinbase, alternative.me). The config examples include Discord/exchange fields but no tokens are required by the provided code. There is no evidence of unrelated credential access.
Persistence & Privilege
The skill does not request elevated platform privileges and 'always' is false. It reads/writes only expected local config paths and does not modify other skills or system-wide settings. track_wallet only modifies an in-memory structure and prints output (no implicit persistent storage).
Assessment
This skill appears to do what it says (fetch public market data and produce portfolio reports). Before installing or running it: 1) Review and create a safe config file (it will try to load ./portfolio-config.json, ../references/config-example.json, or ~/.openclaw/workspace/crypto-portfolio-config.json if present). 2) Ensure you have required runtimes/deps (Python + requests for the Python script; Node.js for the JS script). 3) There is no built-in Discord webhook/posting — if you add Discord integration, don't paste secret tokens into repository files; store them securely and review any code that would send them out. 4) Note small inconsistencies: the JS script reads ../config.json (not provided) while SKILL.md references portfolio-config.json — make sure your config filenames are correct. 5) Run the scripts locally on sample data first to confirm behavior and inspect outputs. If you want higher assurance, request a signed provenance/source URL from the publisher or run the code in an isolated environment.scripts/portfolio-tracker.js:12
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk974haj432vrwfq17k6d558hkn838ex3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.