Skillv1.0.0

ClawScan security

local-portfolio-auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 23, 2026, 2:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a read-only local portfolio auditor that queries public APIs and do not request or store private keys.
Guidance: This skill appears to do what it says: read a local portfolio.json and call public APIs for prices/balances. Before installing, review and edit portfolio.json locally (do not put private keys or secrets there). If you want accurate stock prices, integrate a trusted stock API and supply its API key via environment variables; main.py currently uses a dummy stock price and only optionally uses ETHERSCAN_API_KEY for ETH balances. Consider running it in an isolated environment (or container) if you are nervous about network calls, and verify any added dependencies before installing.

Purpose & Capability: okThe name/description match the implementation: main.py reads a local portfolio.json and queries CoinGecko and (optionally) Etherscan for read-only data. There are no unrelated binaries, credentials, or system paths requested.
Instruction Scope: okSKILL.md instructs the agent to run python3 main.py which only reads a local portfolio.json and makes outbound HTTP requests to public APIs. The instructions do not direct the agent to read unrelated files, exfiltrate data to arbitrary endpoints, or perform write operations. Network calls are limited to CoinGecko, Etherscan, and an AlphaVantage placeholder.
Install Mechanism: okNo install spec is provided; this is an instruction-only skill with a small requirements.txt (requests). Nothing is downloaded from untrusted URLs and no archives are extracted.
Credentials: noteThe manifest lists no required environment variables. main.py optionally reads ETHERSCAN_API_KEY (used only if set) and the README suggests an AlphaVantage API key for stock data; AlphaVantage is not actually read by main.py (it uses a dummy stock price). The optional ETHERSCAN_API_KEY is proportionate for address balance lookups; do not provide private keys.
Persistence & Privilege: okalways is false and the skill does not modify other skills or agent-wide configuration. It has no elevated persistence or privileges.