Portfolio Risk Analyzer
WarnAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this skill asks for crypto private-key access and can run automatic token-buyback transactions, while key transaction helper code is missing and the analysis implementation is incomplete.
Do not run this with a real funded wallet or private key unless the missing transaction scripts are supplied and audited. If you experiment, use a fresh low-balance wallet, disable the hourly cron buyback, manually review every swap, and do not rely on its financial analysis until the stubbed portfolio data code is completed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with a real wallet, the skill could automatically convert all USDC in the configured payment wallet into BANKR.
The script uses the payment wallet balance and swaps the full USDC balance above the threshold into BANKR, rather than only a clearly tracked fee amount, and no approval prompt is shown.
USDC_BALANCE=$(node scripts/get-balance.js "$PAYMENT_WALLET_ADDRESS" "$USDC_ADDRESS") ... RESULT=$(node scripts/uniswap-swap.js --from "$USDC_ADDRESS" --to "$BANKR_TOKEN" --amount "$USDC_BALANCE" --slippage 2)
Do not connect a funded wallet unless the transaction logic is audited; use a dedicated low-balance wallet and require manual approval for swaps.
Financial actions can continue in the background after the server is started, without the user reviewing each run.
Starting the server creates a recurring hourly background job that invokes the buyback script automatically.
cron.schedule('0 * * * *', async () => { ... execSync('./scripts/execute-buyback.sh 100', { stdio: 'inherit' }); });Disable the cron job by default and require explicit user confirmation before each buyback transaction.
A compromised or buggy skill path could put the configured wallet's funds at risk.
The skill asks for a raw crypto wallet private key, a high-impact credential, while the registry metadata declares no primary credential or required env vars.
Private key for receiving payments & executing buybacks: export PAYMENT_WALLET_KEY="your_private_key"
Avoid supplying a main wallet private key; if testing, use a new dedicated wallet with minimal funds and review all code that can access the key.
The skill may fail, or users may later add/run unreviewed code that controls wallet transactions.
These high-impact helper scripts are referenced by the buyback flow but are not present in the supplied file manifest, so the actual transaction, burn, and distribution logic cannot be reviewed.
node scripts/uniswap-swap.js ... node scripts/burn-tokens.js ... node scripts/distribute-to-holders.js
Require all referenced helper scripts to be included and audited before installation or use with credentials.
Risk scores and recommendations may be incomplete or misleading for financial decisions.
The included implementation returns no token balances, despite the skill being marketed as real-time multi-chain portfolio and risk analysis.
async function fetchTokenBalances(wallet, chain) {
// TODO: Implement with Alchemy, Moralis, or similar
return [];
}Treat the analyzer as a prototype until token, DeFi, NFT, and stress-test data paths are actually implemented and validated.