ClawHub

Crypto Portfolio Tracker API

v1.0.0

Track crypto portfolios with real-time prices, profit/loss calculations, and allocation analysis for Bitcoin, Ethereum, Solana, and 10,000+ tokens.

0· 621·0 current·1 all-time
by@strykragent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The code implements the described portfolio-tracking functionality (price lookups, valuation, P&L). However, repository/package/author metadata is inconsistent across files: package.json lists name "crypto-portfolio-tracker-api" and author "OpenFinance <hello@prismapi.ai>", skill.json references "strykr-portfolio-tracker" and npm "@strykr/portfolio-tracker", README/CLI text refer to Strykr/Prism. These naming and metadata mismatches are not themselves malicious but are incoherent and warrant verification of the package origin.
Instruction Scope
SKILL.md contains only installation and usage instructions for the library and CLI (npm install, API calls). It does not instruct reading unrelated system files, secrets, or exfiltrating data. CLI help notes an optional PRISM_API_KEY for higher rate limits, which is consistent with the code.
Install Mechanism
No install spec in the registry (instruction-only), and SKILL.md instructs installing the npm package. The provided code has no external installers or downloads and package.json lists no external dependencies—no high-risk install behavior observed.
Credentials
The code optionally reads PRISM_API_KEY from process.env.PRISM_API_KEY for higher rate limits but the registry metadata declared no required env vars. This is reasonable (optional key) but you should be aware the package will use an API key if provided. No other credentials or sensitive env vars are requested.
Persistence & Privilege
The skill does not request persistent/privileged presence (always: false). It does not modify other skills or system configuration and has no install-time scripts in the manifest that would grant elevated privileges.
Assessment
This package appears to be a normal crypto portfolio tracker that queries prismapi.ai for prices. Before installing: 1) Verify the npm package and publisher (package name in SKILL.md/package.json vs. skill.json mismatch) — install only from the official npm/org you expect. 2) Inspect the package on the npm registry or its GitHub repo to confirm the source and recent activity. 3) If you provide a PRISM_API_KEY, ensure it is a scoped API key (no private wallet keys) and understand it will be sent to https://api.prismapi.ai. 4) Prefer installing in an isolated environment and review the package code (src/index.js) for any unexpected network endpoints. If you cannot confirm the publisher or repository, treat the metadata inconsistencies as a red flag and avoid installing until provenance is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk973z04ncbm7b9d5ggd4b0qh85814fqf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments