Crypto Portfolio Tracker API

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears to be a coherent crypto price and portfolio valuation client, but users should notice that it contacts PRISM API, may use a PRISM_API_KEY, and has some package provenance inconsistencies.

This skill looks safe to use for price lookups and local portfolio valuation if you trust the PRISM API and the npm package source. Verify the package identity before installation, and only provide a PRISM_API_KEY meant for this service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If PRISM_API_KEY is set, the skill can use that key when making price requests.

Why it was flagged

The code can read an API key from the environment and send it to the API endpoint. This is normal for a PRISM API integration, but the registry lists no required or declared environment variables.

Skill content

this.apiKey = options.apiKey || process.env.PRISM_API_KEY || null; ... const headers = this.apiKey ? { 'X-API-Key': this.apiKey } : {};

Recommendation

Only set PRISM_API_KEY to a key intended for PRISM API use, and avoid overriding the API base URL with an untrusted endpoint.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

The external API can observe the crypto symbols being looked up, which may reveal part of a portfolio composition.

Why it was flagged

The skill sends requested token symbols to an external provider API to retrieve prices. This is aligned with the portfolio-tracking purpose, but it means the provider may see which assets are being queried.

Skill content

const url = `${this.baseUrl}/crypto/prices/batch?symbols=${symbols.join(',')}`; ... const response = await fetch(url, { headers });

Recommendation

Use the skill only if you are comfortable sharing queried token symbols with PRISM API; avoid entering sensitive wallet/private-key information, which the shown code does not require.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may be unsure which npm package or repository is authoritative.

Why it was flagged

These identifiers differ from SKILL.md/package.json, which use crypto-portfolio-tracker-api and a different repository path. This is a provenance and packaging clarity issue rather than evidence of malicious behavior.

Skill content

"name": "strykr-portfolio-tracker", ... "npm": "@strykr/portfolio-tracker", "repository": "https://github.com/Strykr-Ai/portfolio-tracker"

Recommendation

Before installing, verify that the npm package, repository, and publisher match the intended PRISM/Strykr project.