Daily Portfolio Analysis
ReviewAudited by ClawScan on May 10, 2026.
Overview
The portfolio-reporting purpose is coherent, but the skill stores real holdings and advertises automatic chat delivery through missing/undeclared notification code, so it needs careful review before use.
Before installing, review the full notification code, confirm exactly where Feishu/WeChat reports will be sent, and decide whether you are comfortable storing real holdings in ~/.openclaw/workspace/memory/portfolio.json. If you only need local reports, disable or remove scheduled chat push functionality.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your real positions, share counts, costs, and cash balances may be kept locally for reuse in future reports.
The script reads a persistent portfolio file from OpenClaw workspace memory; the skill/template state this file contains real holdings data, so users should treat it as sensitive persistent memory.
config_path = os.path.expanduser("~/.openclaw/workspace/memory/portfolio.json")Store portfolio.json only in a protected location, avoid including unnecessary account identifiers in screenshots, and delete or rotate the file when you no longer need the skill.
Ticker symbols and market-data requests may be visible to Yahoo Finance and the local Futu OpenD service.
The script calls Yahoo Finance and a local Futu OpenD quote service to retrieve prices, which is expected for the stated portfolio-analysis purpose but exposes ticker requests to those services.
url = f'https://query1.finance.yahoo.com/v8/finance/chart/{ticker}?interval=5m&range=1d' ... OpenQuoteContext(host='127.0.0.1', port=11111)Use only if you are comfortable with those providers receiving quote requests for the securities in your portfolio.
A missing or externally supplied helper could determine where sensitive portfolio reports are sent and how credentials are handled.
The script depends on a Feishu notification helper that is not present in the provided file manifest, so the code path that would send reports is not reviewable from the supplied artifacts.
from feishu_notifier import send_feishu_text_message
Do not enable notifications until the exact feishu_notifier source, dependencies, and configuration are provided and reviewed.
Your complete portfolio report could be automatically delivered to a third-party chat destination if misconfigured or if the missing notifier behaves unexpectedly.
The skill advertises scheduled delivery of full portfolio reports to external chat platforms, but the artifacts do not define the webhook/recipient configuration, authentication handling, or opt-in controls.
**定时推送** - 每天自动发送报告到飞书/微信等
Require explicit user confirmation for scheduled pushes, document the exact recipients/webhooks, and provide a clear way to disable notifications.