Portfolio Daily Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its portfolio-tracking purpose, but users should review it because setup pulls unpinned external code and the report pipeline can send private financial reports externally by default.
Review the GitHub repository and dependencies before running setup, use minimal notification/API credentials, and require explicit confirmation before sending reports or changing holdings, cash, or fund balances.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future or modified upstream code could run locally with access to portfolio records and any configured notification/API credentials.
Setup obtains the core repository and its dependency list at install time without a pinned commit, tag, hash, or included lockfile, so reviewed artifacts do not fully define the code that will run.
git clone https://github.com/Stepuuu/portfolio-daily-tracker.git "$TARGET" ... pip3 install -r dashboard/requirements.txt
Install only after reviewing the cloned repository; prefer a pinned release/commit and a checked dependency lockfile, or ask the publisher to vendor the engine scripts in the reviewed skill package.
A request to generate a daily report could also send private financial details to configured Feishu/Telegram/Dashboard destinations.
The pipeline tool defaults to sending the report and describes pushing/syncing, which may transmit portfolio holdings and performance data to external messaging or dashboard services unless explicitly disabled.
async def run_portfolio_pipeline(date: str, send_report: bool = True) -> Dict:
"""Run full pipeline: snapshot → report → push → sync."""
...
"description": "运行完整管道:快照→报告→推送→同步Dashboard"Set send_report to false unless the user explicitly asks to send, and document the exact destinations, report contents, and opt-out behavior.
If configured, the skill or its external engine can use these tokens to call provider APIs or send messages.
The skill asks for optional service credentials/webhooks that are purpose-aligned for AI chat and notifications, but they still grant access to third-party services.
OPENAI_API_KEY: description: OpenAI API key for AI chat features ... FEISHU_WEBHOOK: description: Feishu/Lark webhook URL for push notifications ... TELEGRAM_BOT_TOKEN: description: Telegram bot token for push notifications
Use least-privilege tokens/webhooks, rotate them if exposed, and avoid configuring services you do not plan to use.
Misinterpreted instructions could alter financial tracking records or reports, though not actual brokerage holdings based on the provided artifacts.
The documented commands can change or remove local portfolio records and cash/fund balances, which is expected for this skill but should remain user-directed.
python3 scripts/portfolio_manager.py update <ticker> --qty <new_total> [--cost <price>] [--group <group_name>] ... python3 scripts/portfolio_manager.py remove NASDAQ:META --group Growth ... python3 scripts/portfolio_manager.py set-cash --group Growth --value -500000
Ask for confirmation before destructive or ambiguous changes, especially removals, rebalances, and cash/fund balance updates.