Crypto Holdings Monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: crypto-holdings-monitor Version: 1.0.0 The skill is a straightforward cryptocurrency portfolio tracker that stores wallet addresses in a local JSON file (~/.crypto-portfolio.json) and fetches market prices from the CoinGecko API. Analysis of scripts/portfolio.py shows no evidence of data exfiltration, malicious command execution, or obfuscation; it uses standard Python libraries (urllib) for network requests and does not transmit sensitive user data to external servers.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Wallet addresses can reveal financial activity if someone with local access reads the file, even though the artifacts do not show those addresses being uploaded.
The script stores user-added wallet addresses persistently in a hidden JSON file in the user's home directory.
DATA_FILE = os.path.expanduser("~/.crypto-portfolio.json") ... data["wallets"].append(wallet)Only add wallet addresses you are comfortable storing locally, and delete or protect ~/.crypto-portfolio.json if you no longer want the data retained.
Using view, refresh, or report will contact an external price provider for coin price data, but the code only sends coin identifiers and does not include stored wallet addresses in the request.
The script makes outbound network requests to CoinGecko to retrieve cryptocurrency prices.
PRICE_API = "https://api.coingecko.com/api/v3/simple/price" ... urllib.request.urlopen(req, timeout=10)
Use the skill only if you are comfortable with price lookups being made to CoinGecko; no API key is required.
Users have less external provenance information to verify who authored or maintains the skill.
The registry metadata does not provide an upstream source or homepage for provenance, although the reviewed package includes the script contents and no install-time dependency fetches.
Source: unknown Homepage: none
Review the included script before use and prefer updates from a known source if one becomes available.