ClawHub

Ghostfolio

v1.0.0

Manage and query Ghostfolio portfolio data (performance, holdings, dividends) using API endpoints and token auth patterns.

0· 226·0 current·0 all-time
bynSimon (Nicolas)@nsimonfr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Ghostfolio API access) align with the requested primary credential GHOSTFOLIO_TOKEN. However, the SKILL.md also expects GHOSTFOLIO_BASE_URL and GHOSTFOLIO_TIMEZONE (but only GHOSTFOLIO_TOKEN is declared as required), which is a mismatch between declared requirements and what the instructions actually use.
!
Instruction Scope
The instructions instruct the agent to run network calls (curl) against a local or remote base URL, perform an anonymous token exchange, write to /tmp/gf_probe.json, and parse results with jq. They also suggest using curl -k for TLS diagnostics. The SKILL.md references environment variables not listed in requires.env and relies on external CLI tools (jq) that are not declared as required — this gives the skill broader runtime effects than the registry metadata describes.
Install Mechanism
This is an instruction-only skill with no install spec, so it won't write code to disk or fetch third-party packages. That is low install risk. However, the instructions do implicitly require runtime tools (curl and jq) that are not installed by the skill.
Credentials
Only one credential (GHOSTFOLIO_TOKEN) is declared as required which is proportionate for an API integration. The SKILL.md also expects optional GHOSTFOLIO_BASE_URL and GHOSTFOLIO_TIMEZONE but these are not listed in the registry metadata — this is a documentation inconsistency rather than an extra credential demand.
Persistence & Privilege
The skill does not request permanent 'always' inclusion or elevated privileges. It does perform network calls and creates a temporary file in /tmp during probes, but it does not modify other skills or system-wide agent configuration.
What to consider before installing
This skill appears to do what it claims (talk to Ghostfolio APIs with a token) but the runtime instructions reference additional environment variables (GHOSTFOLIO_BASE_URL, GHOSTFOLIO_TIMEZONE) and require CLI tools (curl, jq) that are not listed in the registry metadata. Before installing: 1) Confirm you trust the target Ghostfolio host (especially if you set a remote GHOSTFOLIO_BASE_URL); 2) Ensure curl and jq are available on the agent runtime, or the canned commands will fail; 3) Be aware the skill will make network calls and write /tmp/gf_probe.json during probes; 4) Only provide the GHOSTFOLIO_TOKEN to trusted code/hosts and avoid pasting it into logs; 5) Ask the publisher to update the metadata to declare the additional environment variables and required binaries (or remove undeclared dependencies) for clearer, safer use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978q654cnvskf6gf8x06vphan82aw18

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👻 Clawdis
EnvGHOSTFOLIO_TOKEN
Primary envGHOSTFOLIO_TOKEN

Comments