← 返回 Skills 市场
aigeneralstore

portfolio tracking

作者 aigeneralstore · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
545
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install portfolio-tracking-skill
功能描述
An investment portfolio tracker that runs entirely locally. All data stays in ~/.portfolio-tracker/.
安全使用建议
This skill largely matches its stated purpose — local CLI scripts that read/write ~/.portfolio-tracker — but there are important caveats you should consider before installing: - The code performs network calls. Syncing requires contacting Binance (using the API key/secret you provide), IBKR, price providers (CoinGecko/Yahoo), and public EVM RPC endpoints (e.g., eth.llamarpc.com). If you expect complete offline/local operation, that expectation is incorrect. - API keys and IBKR tokens are stored unencrypted in ~/.portfolio-tracker/config.json. The skill suggests chmod 600, which helps, but the secret remains plaintext on disk. Use only read-only Binance keys and consider whether you want secrets stored there. - Public RPC providers will see wallet addresses you query. If you are privacy-sensitive about addresses queried (e.g., connecting a hot wallet), consider pointing the code to your own RPC node or a privacy-respecting provider. - The install step requires running npm install in the scripts folder; that pulls packages from the public npm registry (ethers, etc.). If you want higher assurance, review the package-lock and audit dependencies before installing. - If you proceed: review the source files (already included), run in a sandboxed environment if possible, create read-only exchange keys, set tight file permissions on ~/.portfolio-tracker/config.json, and verify/change the hard-coded RPC endpoints if you prefer different providers. If you want, I can: (a) point out exact lines where network calls occur, (b) show how to modify the RPC endpoints to a provider you trust, or (c) produce a secure checklist for creating read-only keys and safely storing them.
功能分析
Type: OpenClaw Skill Name: portfolio-tracking-skill Version: 1.0.0 The skill is classified as suspicious due to security vulnerabilities related to the handling of sensitive API keys and secrets. Specifically, `scripts/binance-sync.ts` and `scripts/ibkr-sync.ts` pass API keys/secrets as command-line arguments (`process.argv`), which can expose these credentials to other users on a multi-user system or in system logs. Additionally, API keys and wallet addresses are stored in plaintext JSON in `~/.portfolio-tracker/config.json`. While the documentation (`SKILL.md`, `README.md`, `commands/setup.md`) explicitly states local storage and recommends `chmod 600` for the config file, this storage method and CLI argument passing represent a vulnerability, not malicious intent to exfiltrate data. All network calls are to legitimate financial/crypto APIs for read-only data, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or harmful prompt injection attempts against the agent.
能力评估
Purpose & Capability
The skill's name/description promise a 'local' tracker with data kept under ~/.portfolio-tracker. The code and runtime instructions do persist data there, but the implementation also makes numerous outbound network calls (Binance APIs for account sync, price providers, and hard-coded EVM RPC endpoints such as https://eth.llamarpc.com). The README/SKILL.md claim 'No data is sent to any server' is therefore inaccurate.
Instruction Scope
SKILL.md instructs the agent to run local scripts (via npx tsx) and to save API credentials into ~/.portfolio-tracker/config.json. The scripts explicitly perform network operations: signed requests to Binance, IBKR Flex Query use, CoinGecko/Yahoo price fetches, and querying public RPC nodes for wallet balances. There are no instructions to read unrelated system files or environment variables, but the instructions understate external communications and the privacy implications of querying third-party RPC endpoints.
Install Mechanism
This is instruction-only (no packaged installer) but the SKILL.md requires running npm install in <skill-path>/scripts. The package-lock shows dependencies pulled from npm (ethers, fast-xml-parser, tsx, etc.). Installing via npm is expected for TypeScript scripts and the sources come from public registries, not arbitrary download URLs. This is a standard but non-trivial footprint (node_modules) to be installed locally.
Credentials
The skill requests no environment variables but asks users to input sensitive credentials (Binance API key/secret, IBKR token/queryId, wallet addresses) which are stored in plaintext in ~/.portfolio-tracker/config.json. Requesting these secrets is proportional to the functionality, but storing them unencrypted on disk and the README's misleading claim about 'no data sent' are concerning. Additionally, hard-coded RPC endpoints mean wallet addresses and balance queries are visible to those RPC providers.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes to its own local data/config files under ~/.portfolio-tracker. It does not self-enable or persist beyond its own files in an unusual way.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install portfolio-tracking-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /portfolio-tracking-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the local portfolio tracker skill: - Track and manage investment portfolios fully locally; all data stored in `~/.portfolio-tracker/`. - TypeScript CLI tools for data management, price fetching, and account syncing (Binance, IBKR, EVM wallets). - Modular architecture with clear data and config separation. - Supports asset price refresh, exchange rate updates, and historical data lookups. - Sync investment data from major crypto exchanges, brokers, and blockchain wallets. - User commands for portfolio viewing, price updates, account setup, syncing, and requesting investment advice.
元数据
Slug portfolio-tracking-skill
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

portfolio tracking 是什么?

An investment portfolio tracker that runs entirely locally. All data stays in ~/.portfolio-tracker/. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 545 次。

如何安装 portfolio tracking?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install portfolio-tracking-skill」即可一键安装,无需额外配置。

portfolio tracking 是免费的吗?

是的,portfolio tracking 完全免费(开源免费),可自由下载、安装和使用。

portfolio tracking 支持哪些平台?

portfolio tracking 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 portfolio tracking?

由 aigeneralstore(@aigeneralstore)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论