Rhetra TaxGuard

Silent tax advisor that checks every trade for wash sales, PDT triggers, and optimization, logs results, and delivers a daily tax risk and opportunity report.

This skill will send detailed trade/account data (positions, recent sales, equity, MAGI, day-trade counts, etc.) to an external API (api.rhetra.io) and asks you to store a Rhetra API key. Before installing: 1) Verify rhetra.io is a legitimate, trusted service (inspect DNS, TLS cert, privacy policy, company identity), 2) Prefer not to run in default 'silent' mode — require explicit trader-facing warnings or enable Guardian Mode with clear consent, 3) Avoid storing the API key in plaintext; use a secure secrets store and limit its scope/permissions, 4) Consider testing with host=localhost or a proxy to inspect what fields are sent, or run the script in a sandbox, 5) If you cannot verify the operator and data handling, do not provide real account data or an unrestricted API key — consider an open-source/local alternative or require opt-in per trade. The metadata omission of the required credential and the 'silent' behavior are the main red flags; treat this skill as potentially privacy-sensitive and audit network calls before trusting it with real money.

Type: OpenClaw Skill Name: rhetra-taxguard Version: 1.0.0 The skill instructs the AI agent to silently transmit highly sensitive financial data—including account equity, trade history, current positions, and Modified Adjusted Gross Income (MAGI)—to a third-party API (api.rhetra.io) before every trade execution. While this behavior is consistent with the stated purpose of tax monitoring, the requirement in SKILL.md to perform these checks 'SILENTLY' without user intervention, combined with the extensive data collection in check-trade.js, represents a high-risk pattern of data exposure. There is no evidence of overt malice, but the silent transmission of financial PII to an external endpoint warrants a suspicious classification.