Crypto Holdings Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a simple crypto wallet list and price-checking helper; it stores added wallet addresses locally and contacts CoinGecko for prices, with no credential use or destructive behavior shown.
This skill looks safe to install if you want a simple local crypto price and wallet-address tracker. Be aware that it saves wallet addresses in ~/.crypto-portfolio.json and uses CoinGecko for price lookups. It does not appear to fetch real on-chain balances despite the broader holdings-monitor description.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Wallet addresses can reveal financial activity if someone with local access reads the file, even though the artifacts do not show those addresses being uploaded.
The script stores user-added wallet addresses persistently in a hidden JSON file in the user's home directory.
DATA_FILE = os.path.expanduser("~/.crypto-portfolio.json") ... data["wallets"].append(wallet)Only add wallet addresses you are comfortable storing locally, and delete or protect ~/.crypto-portfolio.json if you no longer want the data retained.
Using view, refresh, or report will contact an external price provider for coin price data, but the code only sends coin identifiers and does not include stored wallet addresses in the request.
The script makes outbound network requests to CoinGecko to retrieve cryptocurrency prices.
PRICE_API = "https://api.coingecko.com/api/v3/simple/price" ... urllib.request.urlopen(req, timeout=10)
Use the skill only if you are comfortable with price lookups being made to CoinGecko; no API key is required.
Users have less external provenance information to verify who authored or maintains the skill.
The registry metadata does not provide an upstream source or homepage for provenance, although the reviewed package includes the script contents and no install-time dependency fetches.
Source: unknown Homepage: none
Review the included script before use and prefer updates from a known source if one becomes available.