Sharesight Skill for OpenClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Sharesight finance integration, but it needs Sharesight API credentials and can change or delete portfolio records if write mode is explicitly enabled.
This skill looks purpose-aligned for managing Sharesight via its API. Before installing, verify you trust the source, understand that it can read financial portfolio data, and keep SHARESIGHT_ALLOW_WRITES unset unless you intentionally want the agent to make account changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring this skill gives it access to your Sharesight account through the API, including financial portfolio information.
The skill uses Sharesight API client credentials from the environment to obtain authenticated access tokens.
client_id = os.environ.get("SHARESIGHT_CLIENT_ID")
client_secret = os.environ.get("SHARESIGHT_CLIENT_SECRET")Use only credentials intended for this integration, limit account/API permissions if Sharesight supports it, and remove the token with `sharesight auth clear` when no longer needed.
If write mode is enabled, the agent may be able to modify or delete Sharesight holdings, custom investments, prices, coupon rates, or related records when asked.
The skill supports high-impact create, update, and delete operations against financial records, but documents an explicit environment-variable gate before writes are allowed.
Write operations (create, update, delete) are **disabled by default** for safety. To enable them: export SHARESIGHT_ALLOW_WRITES=true
Leave write mode disabled unless you need it, review commands carefully before allowing mutations, and consider enabling it only for the session where writes are required.
Future installs could resolve different dependency versions, and the lack of clear upstream provenance makes it harder to verify the package origin.
The package uses an open dependency version range rather than a pinned dependency, and the registry metadata lists the source as unknown with no homepage.
dependencies = [
"httpx>=0.27.0",
]Install from a source you trust, review the code before configuring credentials, and consider pinning dependencies in a lockfile for reproducible installs.