投资组合监控
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: portfolio-monitor Version: 1.1.0 The skill bundle is a legitimate investment portfolio monitor that uses the 'yfinance' library to fetch market data. The code in 'scripts/portfolio.py' performs standard financial calculations and saves the results to a state file. While it contains hardcoded absolute paths (e.g., '/Users/apple/.openclaw/workspace/memory/portfolio.json') which are poor practice and likely to cause functional errors on most systems, there is no evidence of malicious intent, data exfiltration, or unauthorized system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency this way could change or conflict with system Python packages.
The setup uses an unpinned package install and the --break-system-packages option, which can modify the user's Python environment outside normal package-manager protections.
pip3 install yfinance --break-system-packages
Prefer installing in a virtual environment and pinning a yfinance version if reproducibility matters.
A third-party market-data service may observe which ticker symbols are being queried.
The script sends portfolio symbols to the yfinance data provider to retrieve prices. This is expected for live market pricing, but the queried assets may reveal part of the user's watchlist or holdings.
ticker = yf.Ticker(symbol) hist = ticker.history(period='1d')
Use the skill only if you are comfortable with yfinance/Yahoo Finance receiving the queried symbols.
Financial portfolio summaries may remain stored locally after the script runs and could be visible to later workspace activity.
The script persists portfolio-derived values such as total value, cost, profit, and per-symbol performance into the workspace memory directory.
with open('/Users/apple/.openclaw/workspace/memory/portfolio_state.json', 'w') as f:
json.dump(state, f, indent=2)Review and protect the memory directory, and avoid storing portfolio details there if other tools or users can access the workspace.