Claw Portfolio
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent local portfolio tracker, with expected caution points around npm installation, local financial-data storage, external price lookups, and user-directed edits to portfolio records.
Before installing, understand that this is a local record-keeping tool: it installs npm dependencies, stores your portfolio in data/portfolio.json, and queries third-party market-data services for symbols. Run the optional web UI only on a trusted machine, keep backups, and confirm any sell/remove/delete actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill will fetch and run a local npm-based project, and npm link can add a global portfolio command.
The skill relies on user-directed npm dependency installation and optional global CLI linking, which is expected for this Node/Next.js tool but still means local package code and dependencies are trusted.
First, install the required dependencies: ```bash npm install ``` **Optional:** Link the CLI globally for easier access: ```bash npm link ```
Install from the intended repository, review package.json/package-lock.json if you need high assurance, and skip npm link unless you want a global command.
An agent or user action can alter or delete the locally tracked portfolio data, though the artifacts do not show real brokerage trading.
The optional web API can delete portfolios and holdings, and the CLI documentation also includes sell/remove commands; these mutations are core to portfolio management but can change local financial records.
if (body.action === 'deletePortfolio') {
const success = deletePortfolio(body.id);
...
export async function DELETE(request: Request) {
...
const success = removeHolding(id);Keep backups of data/portfolio.json and require explicit confirmation before using sell, remove, or delete actions.
Your holdings, purchase prices, and sale history can remain in a local file and may be included in backups or visible to local users with file access.
The skill persistently stores portfolio holdings and related financial records on disk, which is expected for a tracker but may be sensitive.
Portfolio data is stored locally in `data/portfolio.json`. The data file is created automatically on first run with an empty portfolio.
Protect the project directory, avoid storing unnecessary sensitive account details, and back up or delete the data file according to your privacy needs.
Yahoo Finance and CoinGecko can see which symbols or crypto IDs are queried, which may reveal investment interests or holdings.
The CLI queries external price providers using stock symbols or crypto IDs, which is disclosed and necessary for real-time pricing but reveals queried assets to those services.
https://api.coingecko.com/api/v3/simple/price?ids=${encodeURIComponent(coinId)}...
https://query1.finance.yahoo.com/v8/finance/chart/${encodeURIComponent(symbol)}?interval=1d&range=1dUse live-price and dividend features only for assets you are comfortable querying through those third-party services.