RiskOfficer
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed instruction-only RiskOfficer API skill, but installing it gives an agent an account-level token that can read and change your RiskOfficer portfolio records.
This skill appears coherent and purpose-aligned for RiskOfficer portfolio analytics. Install it only if you trust RiskOfficer and the linked repository, use a dedicated revocable token, avoid storing the token in shared config unless permissions are restricted, and require confirmation for delete, disconnect, batch, or apply operations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, the agent can use your RiskOfficer account token to access your RiskOfficer portfolio data and related analytics.
The skill clearly discloses that the credential is account-level and grants access to sensitive financial portfolio data, including broker-synced positions.
RiskOfficer currently issues account-level tokens (no scoped tokens)... Token scope: The token allows the skill to access your RiskOfficer data (portfolios, risk calculations, broker-synced positions for read-only analysis).
Use a dedicated RiskOfficer token for this skill, prefer an environment variable over shared config storage, and revoke or rotate the token when you no longer need it.
A mistaken or overly broad user request could change or delete virtual portfolio records or disconnect broker synchronization inside RiskOfficer.
The documented API actions include mutating or deleting RiskOfficer portfolio records and changing broker-sync state; this is purpose-aligned but can affect user data.
Portfolio Management — View, create, edit, and delete portfolios... Broker Integration — Sync from Tinkoff/T-Bank; connect, refresh, and disconnect brokers
Ask for explicit confirmation before delete, update, batch-create, apply-optimization, or broker-disconnect actions, and use test portfolios for experimentation.
Before granting an account token, you need to trust that the skill package and linked service are the intended RiskOfficer publisher.
The registry source field does not establish provenance, although the artifacts link to RiskOfficer and a GitHub repository and no code files are included.
Source: unknown
Verify the ClawHub listing, homepage, and GitHub repository match the RiskOfficer provider you trust before installing or entering a token.