ClawHub

Portfolio Watcher

v1.0.0

Monitor stock/crypto holdings, get price alerts, track portfolio performance

5· 6.7k·50 current·53 all-time
by@jhillin8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (track holdings, price alerts, performance) aligns with an instruction-only implementation that uses conversational input and web price lookups. It does not request unrelated credentials or system access, which is appropriate. However, no price data sources or APIs are declared, so it's unclear how 'real-time prices' will be obtained.
!
Instruction Scope
SKILL.md instructs the agent to 'track holdings', 'fetch real-time prices', and 'send alerts' but does not specify where prices are fetched from, how holdings are persisted, or which channels are used for alerts. This vagueness grants the agent broad discretion (e.g., calling arbitrary web endpoints, storing data persistently, or sending data to third-party services) which is a potential privacy/exfiltration risk.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes installation risk because nothing is downloaded or written to disk by the skill package itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate. That said, because alert delivery and price sources are unspecified, the agent might still prompt the user for credentials or contact external APIs at runtime — the lack of declared env/creds doesn't guarantee safe behavior.
Persistence & Privilege
always is false and the skill is user-invocable, so it does not demand permanent unconditional inclusion. There is no instruction in SKILL.md that modifies other skills or system settings. The main concern is unspecified persistent storage of holdings (not declared), which should be clarified before use.
What to consider before installing
This skill could be useful, but it leaves important behaviors undefined. Before installing or entering real holdings: (1) Ask the author which price APIs or data sources are used and whether those are trusted (e.g., official exchanges, CoinGecko, Yahoo Finance). (2) Confirm where and how your holdings are stored (in-chat memory only, or persisted to a file/database) and how long data is retained. (3) Ask how alerts are delivered (in-app notification, email, webhook) and whether any third-party endpoints will receive your data. (4) Never enter brokerage credentials or other sensitive secrets into this skill unless you have a clear, justified reason and an explicit privacy/security policy. If the author cannot or will not clarify these points, treat the skill as higher risk and avoid putting private financial details into it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ex11s698q38g7k5ns7ph4vx7zxwdj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments