Crypto Holdings Monitor
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Wallet addresses can reveal financial activity if someone with local access reads the file, even though the artifacts do not show those addresses being uploaded.
The script stores user-added wallet addresses persistently in a hidden JSON file in the user's home directory.
DATA_FILE = os.path.expanduser("~/.crypto-portfolio.json") ... data["wallets"].append(wallet)Only add wallet addresses you are comfortable storing locally, and delete or protect ~/.crypto-portfolio.json if you no longer want the data retained.
Using view, refresh, or report will contact an external price provider for coin price data, but the code only sends coin identifiers and does not include stored wallet addresses in the request.
The script makes outbound network requests to CoinGecko to retrieve cryptocurrency prices.
PRICE_API = "https://api.coingecko.com/api/v3/simple/price" ... urllib.request.urlopen(req, timeout=10)
Use the skill only if you are comfortable with price lookups being made to CoinGecko; no API key is required.
Users have less external provenance information to verify who authored or maintains the skill.
The registry metadata does not provide an upstream source or homepage for provenance, although the reviewed package includes the script contents and no install-time dependency fetches.
Source: unknown Homepage: none
Review the included script before use and prefer updates from a known source if one becomes available.