ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Portfolio Daily Tracker

v1.2.0

Track and report multi-group stock portfolios with daily snapshots, live Yahoo Finance prices, P&L analytics, and push notifications (Feishu/Telegram). Suppo...

0· 282·2 current·2 all-time
byYann_Sheng(SII)@stepuuu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the included scripts and tools do: reading/writing portfolio files, generating snapshots/reports, updating holdings, and optionally pushing notifications. Declared optional env vars (OPENAI_API_KEY, FEISHU_WEBHOOK, TELEGRAM_BOT_TOKEN, PORTFOLIO_DIR) are coherent with the described features.
Instruction Scope
Runtime instructions and tools operate on local portfolio files under engine/portfolio (read/write snapshots, holdings, history.csv) and run engine scripts (portfolio_manager.py, portfolio_snapshot.py, portfolio_report.py, portfolio_daily_update.py). This scope is expected, but the skill instructs the user to run scripts/setup.sh which will clone an external repo and expects engine scripts that are not bundled here — the agent’s runtime behavior therefore depends on code downloaded at setup time.
!
Install Mechanism
There is no formal install spec in the registry, but scripts/setup.sh (bundled) will git clone https://github.com/Stepuuu/portfolio-daily-tracker.git into a target directory and then attempt pip3 install -r dashboard/requirements.txt from that repo. Cloning an external GitHub repository and running pip install from files inside it is a supply-chain risk because code and dependencies are unpinned and come from a third-party repo not reviewed here.
Credentials
No required credentials are enforced by the registry. The optional environment variables listed in SKILL.md are proportionate to the features: OPENAI_API_KEY for chat features, FEISHU_WEBHOOK/TELEGRAM_BOT_TOKEN for push notifications, and PORTFOLIO_DIR to override data paths. There are no unrelated credential requests.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. Its actions are limited to local files under the project engine/portfolio and running engine scripts; persistent presence or elevated privileges are not requested.
What to consider before installing
This skill appears to implement what it claims, but before running setup.sh or otherwise installing it you should: 1) inspect the GitHub repository it clones (https://github.com/Stepuuu/portfolio-daily-tracker.git) — ideally pin to a specific commit or tag instead of cloning the HEAD; 2) review the repo's scripts (portfolio_daily_update, portfolio_manager, snapshot/report scripts) to confirm there is no unexpected network exfiltration or destructive behavior; 3) review dashboard/requirements.txt and avoid installing untrusted packages without vetting; 4) run setup in a restricted environment (non-root account, isolated VM/container) if you want to test; 5) only provide FEISHU/TELEGRAM tokens and an OPENAI key if you trust the code that will transmit notifications; and 6) back up any existing portfolio data before letting the skill modify files. These precautions reduce supply-chain and execution risk. If you want, I can list the files in the upstream GitHub repo or help identify which dependencies to audit/pin.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cs4bp6508vj7m6sjn9gqg3d82naxn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments