local-portfolio-auditor
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: read a local portfolio file and query public market APIs, but users should notice that financial holdings and an optional Etherscan API key may be used with external services.
This skill is reasonable for local portfolio auditing, but treat portfolio.json as sensitive financial data. Do not add private keys, use a dedicated API key if you configure Etherscan, and install the Python dependency in an isolated environment if possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your public wallet address and query activity may be visible to the API provider, even though the skill does not request or store private keys.
The skill sends the configured Ethereum address, and optionally an Etherscan API key, to an external public API. This is expected for balance lookup, but it means a provider can observe the queried address.
url = f"https://api.etherscan.io/api?module=account&action=balance&address={address}&tag=latest&apikey={etherscan_api_key}"Only include wallet addresses you are comfortable querying through public APIs, and review the API provider's privacy and rate-limit terms.
If you set an Etherscan API key in the environment, the skill will use it for Ethereum balance checks.
The code can use an optional Etherscan API credential. This is purpose-aligned and optional, but it is credential access that users should deliberately configure.
etherscan_api_key = get_env_variable("ETHERSCAN_API_KEY", optional=True)Use a dedicated, low-privilege API key where possible, keep it in environment variables, and do not hardcode it into files.
Installing dependencies changes your local Python environment, though the provided requirement is limited to a pinned requests package.
The skill relies on a manual Python dependency installation step. The dependency is pinned in requirements.txt, and this is normal for a Python skill, but users should verify the local files before installing.
pip install -r requirements.txt
Install in a virtual environment if possible and review requirements.txt before running the skill.