ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multichain Portfolio Tracker

v1.0.0

Track multi-chain crypto portfolio with real-time prices, P&L, and alerts. Supports EVM (Ethereum, Base, Arbitrum, Polygon, Optimism), Solana, and manual ent...

0· 35·0 current·0 all-time
by@jimmyclanker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the files implement: price checks, wallet balance queries, portfolio aggregation, and alerts. The scripts operate without requiring API keys which matches the README. Minor inconsistency: SKILL.md references a pnl.sh script for P&L calculation but no pnl.sh is present in the supplied manifest.
!
Instruction Scope
Scripts read a local portfolio.json (expected) and call external services (CoinGecko and several public RPC endpoints). Those network calls will send wallet addresses and requested token symbols to third-party endpoints (e.g., eth.llamarpc.com, mainnet.base.org, api.coingecko.com), which can log IPs and queried addresses—this is a privacy/exfiltration risk not called out in the README. Otherwise the instructions limit themselves to the task and do not attempt to read unrelated files or credentials.
Install Mechanism
Instruction-only skill with no install spec; scripts run using system bash/python3. No downloads or archive extraction are performed by the skill itself.
Credentials
No environment variables or credentials are requested, which is proportional. However the hard-coded use of third-party RPC endpoints (not locally controlled) means sensitive data (wallet addresses and IPs) will be sent to those providers; consider whether you trust those endpoints or want to substitute your own RPC URLs.
Persistence & Privilege
The skill is user-invocable and not always-enabled. It does not attempt to modify other skills or system settings and does not request persistent presence.
What to consider before installing
This skill appears to implement what it claims, but before installing or running it: (1) understand that the scripts query public RPC providers and CoinGecko — those external services will receive the wallet addresses and token symbols you check (they can log requests and IPs). If you care about privacy, replace the hard-coded RPC URLs with your own RPC provider or a private node. (2) The SKILL.md mentions pnl.sh but that file is missing — expect limited P&L functionality until you add/implement it. (3) Inspect the scripts locally (they are simple bash/python) and run them in a restricted environment if you are unsure. (4) If you want to avoid third-party logging entirely, configure trusted RPC endpoints or API keys that you control. If you want me to, I can point out exactly which lines to change to swap in custom RPC URLs or remove any specific endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97by4s98zszf6x6fghxdgp8g183yrzf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments