ClawHub

Ghostfolio

ReviewAudited by ClawScan on May 1, 2026.

Overview

This instruction-only skill is purpose-aligned for querying Ghostfolio, but it handles a long-lived portfolio token and may leave probe output locally.

Before using this skill, set GHOSTFOLIO_BASE_URL only to your own trusted Ghostfolio instance, protect GHOSTFOLIO_TOKEN as a sensitive long-lived credential, avoid `curl -k` except for controlled diagnostics, and remove /tmp/gf_probe.json if you run the probe.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Anyone who obtains or misuses the token could access the user's Ghostfolio portfolio data through the API.

Why it was flagged

The skill requires and uses a long-lived Ghostfolio token to access portfolio endpoints. This is expected for the stated purpose, but it is sensitive account authority.

Skill content
# Long-lived token supplied by user/admin
export GHOSTFOLIO_TOKEN="..."
...
AUTH_HEADER="Authorization: Bearer $GHOSTFOLIO_TOKEN"
Recommendation

Use a token with the least necessary access, keep it only in a trusted environment, and verify the base URL belongs to your own Ghostfolio server before sending the token.

Low
#ASI06: Memory and Context Poisoning
What this means

Portfolio-related response data could remain on the local machine in /tmp/gf_probe.json after troubleshooting.

Why it was flagged

The quick probe writes API response bodies to a fixed temporary file, which may contain portfolio or error details and can persist after the command finishes.

Skill content
code=$(curl -s -o /tmp/gf_probe.json -w '%{http_code}' "$GHOSTFOLIO_BASE_URL$ep" \
Recommendation

Delete /tmp/gf_probe.json after probing, or change the probe to write to /dev/null if only the HTTP status code is needed.

Low
#ASI02: Tool Misuse and Exploitation
What this means

If used against an untrusted or intercepted remote connection, credentials or portfolio data could be exposed.

Why it was flagged

The troubleshooting guidance mentions disabling TLS certificate verification. It is framed as temporary diagnostics, but using it with bearer tokens can weaken transport security.

Skill content
For remote TLS diagnostics only, temporary `curl -k` can help.
Recommendation

Avoid `curl -k` with real tokens unless you are on a trusted network and diagnosing a known certificate issue; fix TLS validation before normal use.