Solana Portfolio
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a watch-only Solana portfolio tracker, but it uses a raw Telegram user ID to access and modify stored wallet data and depends on unreviewed shared code.
Install only if you are comfortable linking public Solana wallet addresses to your Telegram identity. Do not provide private keys or seed phrases. Before use, confirm that the host system binds commands to the current user and that the shared storage/service code is trusted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If runtime protections do not add their own user binding, an agent or user who supplies another Telegram ID could potentially view or affect another user's tracked portfolio data.
Portfolio lookup is keyed from a command-line Telegram user ID, and the visible script does not verify that the supplied ID is the current authenticated user.
const telegramId = process.argv[2]; ... const user = findOrCreateUser(telegramId, ''); const wallets = getUserWallets(user.id);
Bind portfolio access to the authenticated/current user in the runtime, avoid accepting arbitrary user IDs from prompts, and enforce ownership checks inside the shared service layer.
The reviewed files do not show how wallet data is stored, how portfolios are fetched, or whether extra network/data handling occurs in those shared modules.
The visible scripts delegate core user storage, wallet handling, and portfolio retrieval to shared modules outside the provided file manifest.
const sharedDir = path.resolve(__dirname, '..', '..', '..', 'shared'); ... require(path.join(sharedDir, 'services'))
Publish or declare the shared dependency clearly, include its reviewed source or version/provenance, and document the data storage and network behavior.
Wallet addresses are public on-chain, but linking them to a Telegram user and storing them persistently can reveal sensitive financial profile information.
The skill saves wallet addresses linked to a Telegram user record so they can be reused for later portfolio queries.
const user = findOrCreateUser(telegramId, ''); ... const added = addWallet(user.id, address);
Use only watch-only public wallet addresses, disclose retention/storage behavior, and provide clear remove/delete controls for saved wallet associations.
A user could receive investment-like rebalancing suggestions from a skill they expected to only track and display holdings.
An included script can output allocation action suggestions, which goes beyond the main documented wallet/portfolio display workflow and should be clearly disclosed.
console.log(isZh ? '⚖️ 智能再平衡建议(教育用途)' : '⚖️ Smart Rebalancing Suggestions (Educational)'); ... item.action === 'reduce' ? ... '可考虑降低配置' ... : ... '可考虑提高配置'
Document this feature explicitly, run it only after a clear user request, keep the educational/non-advice disclaimer, and avoid presenting suggestions as personalized financial advice.