Is portfolio-watcher safe?

https://clawhub.ai/jhillin8/portfolio-watcher

68
CAUTION

Portfolio-watcher is a prompt-only skill with no executable code, no outbound network connections during install, and intact canary files. However, the install process accessed sensitive credential files (.aws/credentials, .env, auth-profiles.json) through the OpenClaw runtime, and the skill's financial tracking functionality creates implicit risks around PII storage and unscoped network access. The skill itself appears benign but the runtime behavior during installation and the sensitive nature of financial data warrant caution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Sensitive credential files accessed during install -40

The install process read /home/oc-exec/.aws/credentials and /home/oc-exec/.env. While these reads likely originate from the OpenClaw runtime bootstrap rather than the skill payload itself, the fact that a simple metadata-only skill install triggers reads of AWS credentials and environment variables is concerning. No outbound network activity was observed, so the data was not exfiltrated during this audit, but the access pattern creates a window of exposure.

HIGH Auth profiles and config repeatedly accessed -25

The OpenClaw configuration file (openclaw.json) was read 6+ times and auth-profiles.json was accessed during install. Repeated reads of auth configuration suggest the runtime is loading authentication state that could include tokens, API keys, or session credentials. A metadata-only skill should not require authentication context.

MEDIUM Financial PII exposure via unspecified storage -25

The skill instructs the agent to track portfolio holdings including specific share counts, purchase prices, and ticker symbols. This constitutes sensitive financial PII. The skill does not specify any secure storage mechanism, meaning the agent may persist this data in plain text conversation logs or memory files accessible to other skills.

MEDIUM Implicit network access requirement without declared scope -15

The skill promises 'real-time prices' and 'price alerts' but contains no code or API configuration. The agent must fetch prices from external sources, but the skill does not declare which APIs or domains it needs access to. This creates an implicit scope expansion where the agent may fetch from arbitrary financial data URLs.

LOW Temporary file creation in shared directories -10

The install process created files in /tmp/openclaw-1000/ and /tmp/jiti/. While consistent with OpenClaw runtime behavior, writing to shared /tmp directories could be exploited by other processes on the same system for symlink attacks or race conditions.

INFO Lock file references different skill name -5

The .clawhub/lock.json references 'academic-research-hub' rather than 'portfolio-watcher'. This may indicate the audit environment had a prior skill installed, or there is a mismatch in the skill registry state. Not directly exploitable but indicates potential environment contamination.

INFO No executable code in skill package 0

The skill consists entirely of declarative files (SKILL.md, _meta.json, origin.json). No scripts, hooks, or executable code. This is the safest possible skill structure.