Uniswap Portfolio Report
v0.1.0Generate a comprehensive portfolio report for a wallet's Uniswap positions across all chains — covering total value, PnL, fee earnings, impermanent loss, and composition. Use when the user asks about their positions, earnings, or portfolio overview.
⭐ 0· 768·1 current·1 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate Uniswap portfolio reports and delegates to a 'portfolio-analyst' subagent, which is a reasonable design. However, README/SKILL.md error handling references WALLET_TYPE and PRIVATE_KEY (agent wallet secrets) while the skill metadata declares no required env vars or credentials — asking for a private key would be disproportionate for a read-only reporting task unless clearly justified (e.g., to sign transactions).
Instruction Scope
SKILL.md itself is an instruction-only skill that delegates to Task(subagent_type:portfolio-analyst). The instructions do not explicitly perform network calls or file reads, but they rely entirely on the portfolio-analyst subagent, and the docs explicitly suggest using a configured agent wallet or PRIVATE_KEY. That scope creep (potential access to private keys or agent wallet) is not documented in the skill metadata and is a red flag.
Install Mechanism
The skill has no install spec (instruction-only), which is lower risk. README shows example npx install commands that fetch code from a GitHub path — those are user-run commands outside the skill bundle. Users should be cautious running npx install from an unknown repo, but the skill itself does not perform any downloads or installs.
Credentials
Declared requirements list no env vars or credentials, yet SKILL.md/README mention WALLET_TYPE and PRIVATE_KEY as configuration in error messages. This is inconsistent: requesting private key access (or implying it may be needed) is high-risk for a reporting skill and should be explicitly declared and justified. Also, the delegated portfolio-analyst may require RPC keys or subgraph endpoints but none are documented.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. It is user-invocable and delegates to a subagent — autonomous invocation is allowed by platform defaults but is not exceptional here.
What to consider before installing
This skill appears to do what it says (generate a Uniswap portfolio report) but the documentation hints it may use the agent's configured wallet or PRIVATE_KEY without declaring that requirement. Before installing or using it:
- Ask the author what 'portfolio-analyst' requires (does it need a PRIVATE_KEY, WALLET_TYPE, RPC keys, or only a public wallet address?).
- Do NOT provide private keys. Prefer supplying a public wallet address (read-only) and read-only RPC/subgraph access tokens if needed.
- If the tool needs to sign transactions, get a clear justification and consider using a separate signing service or ephemeral keys.
- Be cautious running the example npx install commands against an unknown GitHub repo — running npx on untrusted code executes remote scripts on your machine.
If the maintainer provides a clear, minimal list of required env vars (ideally none or only read-only RPC endpoints) and confirms the subagent will never request or store private keys, the assessment could be upgraded. Conversely, any requirement to provide PRIVATE_KEY or write secrets to the agent would keep this skill suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97akzt4kasxwbj91pbxa6y6x580w5z7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.