← 返回 Skills 市场
Portfolio Risk Analyzer
作者
kellyclaudeai
· GitHub ↗
· v0.1.0
2022
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install portfolio-risk-analyzer
功能描述
Analyzes crypto portfolios across multiple chains for risk exposures, stress tests, and offers optimization advice with automated $BANKR buyback monetization.
安全使用建议
This skill implements the advertised portfolio analysis and an automated buyback mechanism, but it asks you to provide a full private key and will run hourly buybacks automatically. Before installing or running it:
- Do NOT provide your main wallet private key. Use a dedicated hot wallet with only the funds you can afford to lose, or better, use a custodial/signing service or multisig that requires human approval.
- Inspect the repository fully (the package is missing many referenced scripts); ask the author for the missing files or a link to the canonical source (GitHub). Do not run the server until you can review the missing code.
- Verify all contract addresses (BANKR_TOKEN, UNISWAP_ROUTER) and the code that performs swaps to ensure no malicious recipient or routing is used.
- Run the service in a sandboxed environment (isolated VM/container), and avoid running as root. Monitor outbound connections and logs to detect any exfiltration of secrets.
- Consider disabling the automated cron buyback until you have audited the swapping code and confirmed expected behavior; prefer manual buybacks after review.
- If you lack the expertise to audit smart‑contract interactions and private‑key handling, treat the skill as high risk and avoid installing it. Request a published repository or independent audit from the author before use.
功能分析
Type: OpenClaw Skill
Name: portfolio-risk-analyzer
Version: 0.1.0
This skill is classified as suspicious due to its direct handling of a private key (`PAYMENT_WALLET_KEY`) for fund management and its use of `child_process.execSync` to execute shell scripts from the Node.js server. The `SKILL.md` and `README.md` explicitly instruct users to provide a private key as an environment variable, which is then used by `scripts/execute-buyback.sh` to perform Uniswap swaps. The `server.js` file schedules a cron job that uses `execSync` to run this script hourly. While these actions are central to the skill's stated purpose of automated token buybacks, they represent significant risky capabilities that could be exploited if the environment or skill were compromised, even without clear evidence of intentional malicious behavior in the provided files.
能力评估
Purpose & Capability
The code and SKILL.md implement portfolio scanning, token-gating, and an automated buyback flow that matches the skill name. However there are multiple incoherences: registry metadata at the top lists no required env vars while SKILL.md and server.js require RPC endpoints, API keys, Twilio credentials, and a PAYMENT_WALLET_KEY private key. skill.json lists only Node/npm/curl/jq as required bins and primaryEnv=ETHEREUM_RPC — again inconsistent with SKILL.md. The monetization (auto-buyback to $BANKR) is a legitimate feature for the stated purpose, but the mismatch between declared requirements and actual runtime needs is significant and unexplained.
Instruction Scope
Runtime instructions tell the operator to set sensitive environment variables (RPCs, API keys, and a full PAYMENT_WALLET_KEY private key) and to run servers and scripts that will accept webhooks and perform swaps. server.js schedules an hourly cron job that execs the buyback script, so the skill can autonomously perform on-chain transactions. Many referenced scripts and endpoints (check-bankr-balance.js, fetch-portfolio.js, uniswap-swap.js, burn-tokens.js, payment-server.sh, voice-bot.sh, etc.) are referenced in SKILL.md and server.js but are not present in the file manifest; this makes it impossible to fully verify runtime behavior and increases risk. The instructions also direct the agent to accept payment webhooks and to execute financial transactions — actions that require careful security controls which are not described.
Install Mechanism
There is no platform install spec (install-only by instructions), but a package.json with normal npm dependencies (ethers, axios, twilio, node-cron, @uniswap packages). No suspicious remote downloads or URL-shortened installers are present. Installing will require running npm install and writing these files to disk; that is expected for a Node.js skill but still requires running third‑party packages.
Credentials
The environment variables requested in SKILL.md (RPC endpoints, API keys, Twilio creds) are reasonable for portfolio scanning and voice integration. However PAYMENT_WALLET_KEY (a private key) is required to perform automated buybacks — this is highly sensitive and gives the skill the ability to move funds from the configured wallet. Requesting a full private key is functionally proportional to executing swaps, but because the package also runs automated cron-triggered buybacks and references missing scripts, the risk of misuse or accidental loss is elevated. Additionally, the registry metadata incorrectly claims 'Required env vars: none' which is an important inconsistency.
Persistence & Privilege
always:false (good), but server.js installs an hourly cron job within the process to run execute-buyback.sh. The combination of autonomous scheduled execution + possession of a private key increases blast radius: the skill can autonomously spend funds from the PAYMENT_WALLET_ADDRESS. Autonomous invocation is normal for skills, but when combined with full signing credentials and missing/incomplete code, this raises a significant operational risk that should be mitigated before deployment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install portfolio-risk-analyzer - 安装完成后,直接呼叫该 Skill 的名称或使用
/portfolio-risk-analyzer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial public release of portfolio-risk-analyzer.
- Provides real-time crypto portfolio risk analysis and optimization with voice interface.
- Supports multi-chain asset breakdowns, DeFi/NFT holdings, risk scoring, and stress tests.
- Offers actionable recommendations (rebalance, hedge, optimize yield, tax-loss).
- Automated payment system includes one-time, subscription, and free tier for $BANKR holders.
- 100% of fees are auto-swapped to $BANKR via Uniswap as part of an integrated buyback mechanism.
- Built-in voice bot (Twilio) allows users to access analysis and advice via phone calls.
元数据
常见问题
Portfolio Risk Analyzer 是什么?
Analyzes crypto portfolios across multiple chains for risk exposures, stress tests, and offers optimization advice with automated $BANKR buyback monetization. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2022 次。
如何安装 Portfolio Risk Analyzer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install portfolio-risk-analyzer」即可一键安装,无需额外配置。
Portfolio Risk Analyzer 是免费的吗?
是的,Portfolio Risk Analyzer 完全免费(开源免费),可自由下载、安装和使用。
Portfolio Risk Analyzer 支持哪些平台?
Portfolio Risk Analyzer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Portfolio Risk Analyzer?
由 kellyclaudeai(@kellyclaudeai)开发并维护,当前版本 v0.1.0。
推荐 Skills