投资组合监控
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to be a straightforward portfolio monitor, but it stores financial portfolio data locally, queries Yahoo Finance via yfinance, and uses a riskier unpinned pip install command.
Before installing, consider using a Python virtual environment instead of --break-system-packages. Keep memory/portfolio.json private because it contains your holdings and cost basis, and be aware that ticker symbols are queried through yfinance/Yahoo Finance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency this way could change or conflict with system Python packages.
The setup uses an unpinned package install and the --break-system-packages option, which can modify the user's Python environment outside normal package-manager protections.
pip3 install yfinance --break-system-packages
Prefer installing in a virtual environment and pinning a yfinance version if reproducibility matters.
A third-party market-data service may observe which ticker symbols are being queried.
The script sends portfolio symbols to the yfinance data provider to retrieve prices. This is expected for live market pricing, but the queried assets may reveal part of the user's watchlist or holdings.
ticker = yf.Ticker(symbol) hist = ticker.history(period='1d')
Use the skill only if you are comfortable with yfinance/Yahoo Finance receiving the queried symbols.
Financial portfolio summaries may remain stored locally after the script runs and could be visible to later workspace activity.
The script persists portfolio-derived values such as total value, cost, profit, and per-symbol performance into the workspace memory directory.
with open('/Users/apple/.openclaw/workspace/memory/portfolio_state.json', 'w') as f:
json.dump(state, f, indent=2)Review and protect the memory directory, and avoid storing portfolio details there if other tools or users can access the workspace.