Skillv0.0.1

ClawScan security

Portfolio Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality matches a portfolio tracker, but its runtime instructions ask the agent to attach an existing Chrome profile for browser automation (access that can expose unrelated browser data) without declaring that access — this mismatch and the handling of sensitive holdings warrants caution.
Guidance: This skill appears to do what it says (read a local holdings file, scrape Yahoo Finance, update a portfolio file), but exercise caution before installing/using it: - The SKILL.md asks the agent to 'attach' an existing Chrome profile (profile=open-claw-chrome). That can give the automation access to cookies, logged-in sessions, and other browser data unrelated to portfolio tracking. Confirm what 'attach' means in your environment and whether you are comfortable granting that access. - The holdings file contains real financial and crypto positions. Only run this skill if you trust the skill owner and the runtime environment; consider using a sanitized/test holdings file first. - The included Python script is small and appears harmless (it just reads and parses the local holdings file). Still review any code before use and run in a sandbox if possible. - If you need to mitigate risk: create a dedicated browser profile with no saved logins and only the minimal extension/context required; or modify the workflow to use an ephemeral browser context instead of attaching an existing profile. If the author documents why a profile must be attached (and declares the config path or permission), or if the skill is updated to launch a fresh browser context instead of attaching an existing profile, my concern would be reduced.

Review Dimensions

Purpose & Capability: noteName and instructions align with a portfolio tracking use-case: reading a local holdings file, scraping Yahoo Finance for quotes, computing values, and writing an analysis file. The included python script simply parses the holdings file and prints samples, which is consistent with the stated purpose. However, the SKILL.md explicitly instructs attaching a Chrome profile (profile=open-claw-chrome) for browser automation; that capability is plausible for scraping but is not reflected in declared requirements (no config paths or permissions).
Instruction Scope: concernInstructions tell the agent to read references/portfolio-holdings.md and to attach a Chrome extension/profile and snapshot Yahoo Finance pages to extract prices. Reading the holdings file and scraping Yahoo Finance is in-scope, but 'attach Chrome extension (profile=open-claw-chrome)' implies access to an existing browser profile (cookies, other tabs, stored auth) which is broader than the skill's stated data needs. The instructions do not direct data to external endpoints beyond Yahoo Finance, and the skill does not instruct exfiltration, but the implicit request to access a browser profile is a significant scope expansion that isn't documented as a required config path or permission.
Install Mechanism: okThere is no install spec; the skill is instruction-only plus a small helper script. Nothing is written to disk by an installer and no external code downloads are requested, which is low risk from an install mechanism perspective.
Credentials: concernThe skill declares no required environment variables or config paths, yet runtime instructions expect access to a specific Chrome profile name. That is an access mismatch: attaching an existing browser profile can expose broad sensitive data (cookies, sessions, other sites) but there is no explicit declaration or justification in the manifest. The holdings file is local and expected to be read, which is proportionate to the purpose, but it contains sensitive financial information and the skill will read and process it.
Persistence & Privilege: okThe skill is not marked always:true, is user-invocable, and does not request persistent/system-wide modifications in the manifest. There is no evidence it modifies other skills or global configuration.