Groww
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Groww trading skill, but it can guide an agent to place or cancel real stock orders without documented confirmation safeguards.
Install only if you intentionally want OpenClaw to access your Groww account. Treat this as a high-risk trading integration: verify the MCP server source, use the least-privileged API key possible, and require explicit confirmation before any buy, sell, or cancel action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager agent action could submit or cancel real stock trades, potentially causing financial loss.
The skill provides direct commands for placing and canceling broker orders, but the artifact does not include approval, review, risk-limit, or confirmation requirements before those high-impact actions.
mcporter call groww-mcp.place_order symbol=TATAMOTORS quantity=10 side=BUY type=MARKET ... mcporter call groww-mcp.cancel_order orderId=ABC123
Require explicit final user confirmation before every trade or cancellation, showing the exact symbol, side, quantity, order type, price or market-order warning, validity, estimated cost, and account impact.
Anyone or any agent flow with access to this key may be able to view portfolio data and perform trading actions depending on the key's permissions.
The skill requires a Groww API key. That is purpose-aligned for a broker integration, but it grants sensitive portfolio and trading authority.
"requires": { "env": ["GROWW_API_KEY"] }, "primaryEnv": "GROWW_API_KEY"Use the least-privileged Groww API key available, prefer read-only access unless trading is intended, avoid logging or sharing the key, and revoke it when no longer needed.
If the referenced MCP server is unreviewed or replaced, it could mishandle the broker API key or execute unintended trading actions.
The skill depends on a separate MCP server for portfolio and order tools, but the supplied artifacts include no code, install specification, source, or version pin for that server. Because the server would handle broker operations, this provenance gap is material.
The groww-mcp server is configured. Call tools via mcporter:
Only use this with a reviewed, trusted, version-pinned groww-mcp server; include its install source and permissions in the skill metadata before enabling trading.