← Back to Skills Marketplace
harrylabsj

Portfolio Risk Sensemaker

by haidong · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
74
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install portfolio-risk-sensemaker
Description
A plain-English portfolio reading skill that turns a holdings list into understandable risk patterns. Use when the user wants to understand the risk profile...
Usage Guidance
This skill claims to be prompt-only but includes code that reads a hard-coded path under /Users/jianghaidong/.openclaw/skills/{skill_name} with no input sanitization. That enables a caller to cause the skill to read local files (path-traversal risk) and exposes a developer's home path. Before installing: (1) ask the author why the skill needs to read SKILL.md and remove that behavior if unnecessary; (2) request that file access be limited to the skill's own directory and that skill_name be validated/normalized (no '../'); (3) run the code in a sandboxed environment or review it locally; and (4) if you must install, do not grant it access to sensitive host files. If the author cannot justify the disk read, treat this as a red flag and avoid installing.
Capability Analysis
Type: OpenClaw Skill Name: portfolio-risk-sensemaker Version: 1.0.0 The handler.py file contains a hardcoded absolute path referencing a specific local user directory (/Users/jianghaidong/) and lacks input validation for the skill_name parameter, which introduces a path traversal vulnerability. While the current logic reads the file without exfiltrating its content, the use of absolute paths and unvalidated input are high-risk patterns that deviate from secure coding practices for portable skill bundles.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
The skill is described as prompt-only and not needing any files or credentials, but handler.py contains code to load a SKILL.md from a hard-coded path (/Users/jianghaidong/.openclaw/skills/{skill_name}). Reading local skill files is unnecessary for a prompt-only portfolio analyzer and the hard-coded user path is unusual and disproportionate.
Instruction Scope
SKILL.md instructions do not mention reading disk files. The handler's _load_skill_meta opens a file based on the provided skill_name with no validation or sanitization, allowing the agent (or whoever calls handle) to trigger arbitrary file reads under that filesystem prefix — behavior outside the documented scope.
Install Mechanism
No install specification and no external downloads; the skill is instruction-only with two small local code files, so there is no elevated install risk.
Credentials
The skill declares no environment variables or credentials (consistent with its description). However, the handler's file read is an undeclared capability to access local filesystem data, which is not captured by requires.env and so is under-specified and surprising.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or global agent settings. It does, however, read from disk when invoked, which is a runtime privilege but not persistent configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install portfolio-risk-sensemaker
  3. After installation, invoke the skill by name or use /portfolio-risk-sensemaker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of portfolio-risk-sensemaker - Translates user-provided crypto holdings into plain-English risk profiles. - Highlights concentration risk, overlap, exposure imbalance, and downside scenarios. - Offers reflection questions and notes missing information. - Designed for easy, chart-free understanding. - Works with percentages, buckets, or ranked lists—even if incomplete.
Metadata
Slug portfolio-risk-sensemaker
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Portfolio Risk Sensemaker?

A plain-English portfolio reading skill that turns a holdings list into understandable risk patterns. Use when the user wants to understand the risk profile... It is an AI Agent Skill for Claude Code / OpenClaw, with 74 downloads so far.

How do I install Portfolio Risk Sensemaker?

Run "/install portfolio-risk-sensemaker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Portfolio Risk Sensemaker free?

Yes, Portfolio Risk Sensemaker is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Portfolio Risk Sensemaker support?

Portfolio Risk Sensemaker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Portfolio Risk Sensemaker?

It is built and maintained by haidong (@harrylabsj); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments