ClawHub

Portfolio Manager

v0.1.0

Comprehensive portfolio analysis using Alpaca MCP Server integration to fetch holdings and positions, then analyze asset allocation, risk metrics, individual stock positions, diversification, and generate rebalancing recommendations. Use when user requests portfolio review, position analysis, risk assessment, performance evaluation, or rebalancing suggestions for their brokerage account.

3· 3.8k·31 current·33 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with Alpaca MCP and therefore legitimately needs Alpaca API credentials and access to MCP tools. However the registry metadata lists no required environment variables or primary credential. That mismatch (no declared credentials vs. many docs instructing you to supply API keys) is an incoherence that should be resolved before trusting the skill.
!
Instruction Scope
SKILL.md instructs the agent to call MCP tools (mcp__alpaca__get_positions, get_account_info, get_portfolio_history) and — if MCP is unavailable — to use direct Alpaca API calls, create ~/.alpaca/config.ini, and set ALPACA_API_KEY / ALPACA_SECRET_KEY env vars. The instructions also reference a setup document using the filename references/alpaca_mcp_setup.md (underscore) while the repository contains references/alpaca-mcp-setup.md (hyphen) — a broken reference. The skill also instructs fetching market fundamentals via WebSearch or other APIs. The instructions therefore access environment variables and local config paths that are not declared in metadata, creating scope/visibility inconsistencies.
Install Mechanism
There is no install spec (instruction-only skill), which reduces installer risk. The README and references suggest optionally running pip install alpaca-trade-api for the direct-integration fallback, but no automated installer is provided. This is acceptable but the lack of an explicit install step means the agent/user will run commands themselves — the test script (scripts/test_alpaca_connection.py) should be reviewed before execution.
!
Credentials
Although the registry lists no required env vars or primary credential, the README and SKILL.md explicitly instruct users to export ALPACA_API_KEY, ALPACA_SECRET_KEY and ALPACA_PAPER or create ~/.alpaca/config.ini. Requesting private API keys is reasonable for a brokerage-integrated tool, but those credentials are not declared in the skill metadata. The absence of declared credential requirements is misleading and increases risk because users may not realize they're supplying sensitive keys to this skill.
Persistence & Privilege
always:false and no install spec means the skill does not request forced persistent inclusion. The skill does instruct saving generated reports to the repository, and references configuration changes (persisting env vars) but it does not claim elevated privileges or modifications to other skills. Autonomous invocation is allowed by default (not flagged alone) — note that autonomous invocation + undisclosed credential use would increase risk.
What to consider before installing
This skill appears to implement the advertised Alpaca portfolio analysis, but its metadata is inconsistent with its documentation: the repo and SKILL.md tell you to provide ALPACA_API_KEY / ALPACA_SECRET_KEY and a local config file while the registry metadata lists no required secrets. Before installing or running: 1) Inspect scripts/test_alpaca_connection.py and any code that will run to confirm it only uses your keys for read-only portfolio queries; 2) Prefer providing read-only or paper-trading API keys, not live trading keys, and test with a paper account; 3) Don’t paste secrets into chat or commit them to version control — use environment variables or a properly permissioned config file (chmod 600); 4) Verify filename mismatches in SKILL.md (references/alpaca_mcp_setup.md vs references/alpaca-mcp-setup.md) and ask the publisher/owner for source/homepage or signed provenance if you need higher assurance; 5) Run the test script in an isolated environment (container or throwaway VM) first; 6) If you’re uncomfortable with missing metadata or unknown source, decline or only use the manual-CSV mode so you don’t supply broker credentials. If the publisher can update the skill to declare the required env vars and explain exactly when/where keys are used, re-evaluate — that would raise my confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wq7faqz2am6xp6ghpkkpns8092da

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments