RiskOfficer

What to check before installing: - Trust & provenance: The registry metadata you provided lists Source: unknown / Homepage: none, but SKILL.md and README claim an official GitHub repo (github.com/mib424242/riskofficer-openclaw-skill) and riskofficer.tech. Verify those links yourself (check the GitHub repo contents, commit history, and whether the repository owner matches the publisher you trust). A mismatch between registry metadata and the SKILL.md reduces confidence. - Token scope: Create a dedicated RISK_OFFICER_TOKEN for this skill (name it "OpenClaw"), with the minimum access RiskOfficer supports, and be prepared to revoke it. Although the skill repeatedly says it "does not store or log your token," the API surface includes endpoints that create/update/delete virtual portfolios and manage broker sync; the token likely authorizes actions in your RiskOfficer account (not your broker). Treat it like an account-level secret. - Use ephemeral session env var when possible: prefer exporting RISK_OFFICER_TOKEN in the session instead of saving it in ~/.openclaw/openclaw.json. If you must save it, restrict file permissions and be aware other agents/users who can read that file gain access. - Functional limits: The service is documented as supporting only RUB and USD with CBR/MOEX FX rates. If you need EUR/other FX providers, this skill won't support them. - Test cautiously: Try read-only queries first (ticker search, list portfolios) with a limited token or test account. Confirm responses come from api.riskofficer.tech and not unexpected endpoints. - If you need higher assurance: inspect the claimed GitHub repository, verify the repo owner and release tags, and confirm the skill package on the registry matches the repo. If you cannot verify the publisher, treat the token as higher risk and limit exposure (use a separate RiskOfficer account or token).