Position Tracker
v1.0.1Keep track of positions across any exchange, broker, or external system. Detect orphans, prevent leaks. Self-healing state reconciliation for any stateful bot.
⭐ 0· 226·0 current·0 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description claim a generalized state machine for tracking external positions and reconciling state. The shipped code and SKILL.md implement exactly that: a PositionTracker class, an ExternalAPIAdapter interface, and persistence to a local state file. Nothing in the bundle requests unrelated credentials or system access that would be out of scope for a position tracker. Adapters you write will legitimately need credentials for the external systems they talk to — that is expected and not requested by the skill itself.
Instruction Scope
Runtime instructions stay within the stated purpose: implement an ExternalAPIAdapter, call detect_orphans(), cleanup_orphans(), reconcile(), etc. The code reads/writes only its state_dir/state_file and does not reference other system paths, environment variables, or remote endpoints on its own. Notes: the docs mention features (e.g., log_file parameter, MockAPIAdapter/tests) that are not present or not obviously exposed in the code — minor documentation drift. Also, the library can auto-close remote positions via adapter.close_position when enable_auto_reconcile is enabled; that behavior is consistent with the purpose but is a high-impact action users must control.
Install Mechanism
No install spec is provided in the registry (instruction-only skill). The SKILL.md suggests 'pip install position-tracker' or copying position_tracker.py; there is no package provenance in the registry metadata or homepage to verify the pip package. As distributed here, the safer option is to copy/review the provided position_tracker.py. No downloads or archive extraction occur during install in the bundle.
Credentials
The skill declares no required environment variables, primary credential, or config paths. This is appropriate because it delegates external API access to user-provided adapters; those adapters will be the place to supply credentials (API keys, secrets). The lack of requested secrets in the skill itself is proportionate. One caveat: enabling auto_reconcile allows the skill to trigger adapter.close_position() — if an adapter uses credentials to close real money positions, that is a powerful capability and should be guarded.
Persistence & Privilege
The skill persists only its own state to a configurable state_dir (default './state') and uses atomic writes. always:false and user-invocable:true. It does not modify other skills or system-wide agent settings. Recommendation: run with a dedicated state directory and filesystem permissions appropriate to your risk model.
Assessment
This skill appears to do what it says: a local state machine and reconciliation helper that relies on user-supplied adapters to talk to external systems. Before installing or enabling in production: 1) Review the provided position_tracker.py source (you already have it) and any adapter code you will plug in. 2) Do not enable enable_auto_reconcile (or set auto_close) against real trading/billing accounts until you have thoroughly tested behaviors in a safe sandbox — auto-reconcile can call adapter.close_position() and have financial impact. 3) Keep adapter credentials (API keys, secrets) out of this library; supply them only to the adapter implementation and store them securely. 4) Prefer copying and reviewing the shipped file rather than blindly running pip install unless you verify the package provenance. 5) Configure a dedicated state_dir with restrictive permissions and set conservative min_position_value/max_positions to avoid noisy or destructive auto-actions. 6) Fix documentation drift (e.g., log_file mentioned in docs but not in constructor) or verify the exact API surface in your deployed copy.Like a lobster shell, security has layers — review code before you run it.
financevk973ejs1t7zsy1a3ffe4v1qh3d82nwnzlatestvk973ejs1t7zsy1a3ffe4v1qh3d82nwnzportfoliovk973ejs1t7zsy1a3ffe4v1qh3d82nwnzpositionsvk973ejs1t7zsy1a3ffe4v1qh3d82nwnztrackingvk973ejs1t7zsy1a3ffe4v1qh3d82nwnztradingvk973ejs1t7zsy1a3ffe4v1qh3d82nwnz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.