← Back to Skills Marketplace

portfolio tracking

Name: portfolio tracking
Author: aigeneralstore

by aigeneralstore · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

545

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install portfolio-tracking-skill

Description

An investment portfolio tracker that runs entirely locally. All data stays in ~/.portfolio-tracker/.

Usage Guidance

This skill largely matches its stated purpose — local CLI scripts that read/write ~/.portfolio-tracker — but there are important caveats you should consider before installing: - The code performs network calls. Syncing requires contacting Binance (using the API key/secret you provide), IBKR, price providers (CoinGecko/Yahoo), and public EVM RPC endpoints (e.g., eth.llamarpc.com). If you expect complete offline/local operation, that expectation is incorrect. - API keys and IBKR tokens are stored unencrypted in ~/.portfolio-tracker/config.json. The skill suggests chmod 600, which helps, but the secret remains plaintext on disk. Use only read-only Binance keys and consider whether you want secrets stored there. - Public RPC providers will see wallet addresses you query. If you are privacy-sensitive about addresses queried (e.g., connecting a hot wallet), consider pointing the code to your own RPC node or a privacy-respecting provider. - The install step requires running npm install in the scripts folder; that pulls packages from the public npm registry (ethers, etc.). If you want higher assurance, review the package-lock and audit dependencies before installing. - If you proceed: review the source files (already included), run in a sandboxed environment if possible, create read-only exchange keys, set tight file permissions on ~/.portfolio-tracker/config.json, and verify/change the hard-coded RPC endpoints if you prefer different providers. If you want, I can: (a) point out exact lines where network calls occur, (b) show how to modify the RPC endpoints to a provider you trust, or (c) produce a secure checklist for creating read-only keys and safely storing them.

Capability Analysis

Type: OpenClaw Skill Name: portfolio-tracking-skill Version: 1.0.0 The skill is classified as suspicious due to security vulnerabilities related to the handling of sensitive API keys and secrets. Specifically, `scripts/binance-sync.ts` and `scripts/ibkr-sync.ts` pass API keys/secrets as command-line arguments (`process.argv`), which can expose these credentials to other users on a multi-user system or in system logs. Additionally, API keys and wallet addresses are stored in plaintext JSON in `~/.portfolio-tracker/config.json`. While the documentation (`SKILL.md`, `README.md`, `commands/setup.md`) explicitly states local storage and recommends `chmod 600` for the config file, this storage method and CLI argument passing represent a vulnerability, not malicious intent to exfiltrate data. All network calls are to legitimate financial/crypto APIs for read-only data, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or harmful prompt injection attempts against the agent.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description promise a 'local' tracker with data kept under ~/.portfolio-tracker. The code and runtime instructions do persist data there, but the implementation also makes numerous outbound network calls (Binance APIs for account sync, price providers, and hard-coded EVM RPC endpoints such as https://eth.llamarpc.com). The README/SKILL.md claim 'No data is sent to any server' is therefore inaccurate.

⚠ Instruction Scope

SKILL.md instructs the agent to run local scripts (via npx tsx) and to save API credentials into ~/.portfolio-tracker/config.json. The scripts explicitly perform network operations: signed requests to Binance, IBKR Flex Query use, CoinGecko/Yahoo price fetches, and querying public RPC nodes for wallet balances. There are no instructions to read unrelated system files or environment variables, but the instructions understate external communications and the privacy implications of querying third-party RPC endpoints.

ℹ Install Mechanism

This is instruction-only (no packaged installer) but the SKILL.md requires running npm install in <skill-path>/scripts. The package-lock shows dependencies pulled from npm (ethers, fast-xml-parser, tsx, etc.). Installing via npm is expected for TypeScript scripts and the sources come from public registries, not arbitrary download URLs. This is a standard but non-trivial footprint (node_modules) to be installed locally.

⚠ Credentials

The skill requests no environment variables but asks users to input sensitive credentials (Binance API key/secret, IBKR token/queryId, wallet addresses) which are stored in plaintext in ~/.portfolio-tracker/config.json. Requesting these secrets is proportional to the functionality, but storing them unencrypted on disk and the README's misleading claim about 'no data sent' are concerning. Additionally, hard-coded RPC endpoints mean wallet addresses and balance queries are visible to those RPC providers.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and only writes to its own local data/config files under ~/.portfolio-tracker. It does not self-enable or persist beyond its own files in an unusual way.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install portfolio-tracking-skill
After installation, invoke the skill by name or use /portfolio-tracking-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of the local portfolio tracker skill: - Track and manage investment portfolios fully locally; all data stored in `~/.portfolio-tracker/`. - TypeScript CLI tools for data management, price fetching, and account syncing (Binance, IBKR, EVM wallets). - Modular architecture with clear data and config separation. - Supports asset price refresh, exchange rate updates, and historical data lookups. - Sync investment data from major crypto exchanges, brokers, and blockchain wallets. - User commands for portfolio viewing, price updates, account setup, syncing, and requesting investment advice.

Metadata

Slug portfolio-tracking-skill

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is portfolio tracking?

An investment portfolio tracker that runs entirely locally. All data stays in ~/.portfolio-tracker/. It is an AI Agent Skill for Claude Code / OpenClaw, with 545 downloads so far.

How do I install portfolio tracking?

Run "/install portfolio-tracking-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is portfolio tracking free?

Yes, portfolio tracking is completely free (open-source). You can download, install and use it at no cost.

Which platforms does portfolio tracking support?

portfolio tracking is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created portfolio tracking?

It is built and maintained by aigeneralstore (@aigeneralstore); the current version is v1.0.0.

More Skills