← Back to Skills Marketplace
Portfolio Risk Analyzer
by
kellyclaudeai
· GitHub ↗
· v0.1.0
2022
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install portfolio-risk-analyzer
Description
Analyzes crypto portfolios across multiple chains for risk exposures, stress tests, and offers optimization advice with automated $BANKR buyback monetization.
Usage Guidance
This skill implements the advertised portfolio analysis and an automated buyback mechanism, but it asks you to provide a full private key and will run hourly buybacks automatically. Before installing or running it:
- Do NOT provide your main wallet private key. Use a dedicated hot wallet with only the funds you can afford to lose, or better, use a custodial/signing service or multisig that requires human approval.
- Inspect the repository fully (the package is missing many referenced scripts); ask the author for the missing files or a link to the canonical source (GitHub). Do not run the server until you can review the missing code.
- Verify all contract addresses (BANKR_TOKEN, UNISWAP_ROUTER) and the code that performs swaps to ensure no malicious recipient or routing is used.
- Run the service in a sandboxed environment (isolated VM/container), and avoid running as root. Monitor outbound connections and logs to detect any exfiltration of secrets.
- Consider disabling the automated cron buyback until you have audited the swapping code and confirmed expected behavior; prefer manual buybacks after review.
- If you lack the expertise to audit smart‑contract interactions and private‑key handling, treat the skill as high risk and avoid installing it. Request a published repository or independent audit from the author before use.
Capability Analysis
Type: OpenClaw Skill
Name: portfolio-risk-analyzer
Version: 0.1.0
This skill is classified as suspicious due to its direct handling of a private key (`PAYMENT_WALLET_KEY`) for fund management and its use of `child_process.execSync` to execute shell scripts from the Node.js server. The `SKILL.md` and `README.md` explicitly instruct users to provide a private key as an environment variable, which is then used by `scripts/execute-buyback.sh` to perform Uniswap swaps. The `server.js` file schedules a cron job that uses `execSync` to run this script hourly. While these actions are central to the skill's stated purpose of automated token buybacks, they represent significant risky capabilities that could be exploited if the environment or skill were compromised, even without clear evidence of intentional malicious behavior in the provided files.
Capability Assessment
Purpose & Capability
The code and SKILL.md implement portfolio scanning, token-gating, and an automated buyback flow that matches the skill name. However there are multiple incoherences: registry metadata at the top lists no required env vars while SKILL.md and server.js require RPC endpoints, API keys, Twilio credentials, and a PAYMENT_WALLET_KEY private key. skill.json lists only Node/npm/curl/jq as required bins and primaryEnv=ETHEREUM_RPC — again inconsistent with SKILL.md. The monetization (auto-buyback to $BANKR) is a legitimate feature for the stated purpose, but the mismatch between declared requirements and actual runtime needs is significant and unexplained.
Instruction Scope
Runtime instructions tell the operator to set sensitive environment variables (RPCs, API keys, and a full PAYMENT_WALLET_KEY private key) and to run servers and scripts that will accept webhooks and perform swaps. server.js schedules an hourly cron job that execs the buyback script, so the skill can autonomously perform on-chain transactions. Many referenced scripts and endpoints (check-bankr-balance.js, fetch-portfolio.js, uniswap-swap.js, burn-tokens.js, payment-server.sh, voice-bot.sh, etc.) are referenced in SKILL.md and server.js but are not present in the file manifest; this makes it impossible to fully verify runtime behavior and increases risk. The instructions also direct the agent to accept payment webhooks and to execute financial transactions — actions that require careful security controls which are not described.
Install Mechanism
There is no platform install spec (install-only by instructions), but a package.json with normal npm dependencies (ethers, axios, twilio, node-cron, @uniswap packages). No suspicious remote downloads or URL-shortened installers are present. Installing will require running npm install and writing these files to disk; that is expected for a Node.js skill but still requires running third‑party packages.
Credentials
The environment variables requested in SKILL.md (RPC endpoints, API keys, Twilio creds) are reasonable for portfolio scanning and voice integration. However PAYMENT_WALLET_KEY (a private key) is required to perform automated buybacks — this is highly sensitive and gives the skill the ability to move funds from the configured wallet. Requesting a full private key is functionally proportional to executing swaps, but because the package also runs automated cron-triggered buybacks and references missing scripts, the risk of misuse or accidental loss is elevated. Additionally, the registry metadata incorrectly claims 'Required env vars: none' which is an important inconsistency.
Persistence & Privilege
always:false (good), but server.js installs an hourly cron job within the process to run execute-buyback.sh. The combination of autonomous scheduled execution + possession of a private key increases blast radius: the skill can autonomously spend funds from the PAYMENT_WALLET_ADDRESS. Autonomous invocation is normal for skills, but when combined with full signing credentials and missing/incomplete code, this raises a significant operational risk that should be mitigated before deployment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install portfolio-risk-analyzer - After installation, invoke the skill by name or use
/portfolio-risk-analyzer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial public release of portfolio-risk-analyzer.
- Provides real-time crypto portfolio risk analysis and optimization with voice interface.
- Supports multi-chain asset breakdowns, DeFi/NFT holdings, risk scoring, and stress tests.
- Offers actionable recommendations (rebalance, hedge, optimize yield, tax-loss).
- Automated payment system includes one-time, subscription, and free tier for $BANKR holders.
- 100% of fees are auto-swapped to $BANKR via Uniswap as part of an integrated buyback mechanism.
- Built-in voice bot (Twilio) allows users to access analysis and advice via phone calls.
Metadata
Frequently Asked Questions
What is Portfolio Risk Analyzer?
Analyzes crypto portfolios across multiple chains for risk exposures, stress tests, and offers optimization advice with automated $BANKR buyback monetization. It is an AI Agent Skill for Claude Code / OpenClaw, with 2022 downloads so far.
How do I install Portfolio Risk Analyzer?
Run "/install portfolio-risk-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Portfolio Risk Analyzer free?
Yes, Portfolio Risk Analyzer is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Portfolio Risk Analyzer support?
Portfolio Risk Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Portfolio Risk Analyzer?
It is built and maintained by kellyclaudeai (@kellyclaudeai); the current version is v0.1.0.
More Skills