Portfolio risk management and analytics. Use when user asks to calculate VaR, run Monte Carlo, stress test, optimize with Risk Parity / Calmar / Black-Litter...
Security Analysis
medium confidenceThe skill is generally coherent with a portfolio‑risk API integration, but there are small mismatches and unclear trust signals (registry shows unknown source while SKILL.md claims an
Name/description match the instructions: the skill is an API client for RiskOfficer and only requests a single API token (RISK_OFFICER_TOKEN). The documented endpoints and features (VaR, Monte Carlo, optimizations, ticker search, broker sync) align with a portfolio risk service.
SKILL.md only instructs the agent to call RiskOfficer endpoints (api.riskofficer.tech) and to read the declared RISK_OFFICER_TOKEN or openclaw.json configuration. There are no instructions to read unrelated system files or other environment variables.
Instruction-only skill with no install spec and no binaries to download—lowest install risk.
Only one env var is required (RISK_OFFICER_TOKEN), which is proportionate. However, the SKILL.md text is ambiguous about token scope: it states 'read-only analysis' in places but the API coverage/docs include create/update/delete portfolio and broker connect/disconnect endpoints—the token may permit changes to your RiskOfficer account (virtual portfolios) even if not placing broker orders. Verify token permissions before reuse; create a dedicated token you can revoke.
always:false and user-invocable:true. The skill does not request persistent system-level privileges and contains no install hooks that modify other skills or system-wide settings.
Guidance
What to check before installing: - Trust & provenance: The registry metadata you provided lists Source: unknown / Homepage: none, but SKILL.md and README claim an official GitHub repo (github.com/mib424242/riskofficer-openclaw-skill) and riskofficer.tech. Verify those links yourself (check the GitHub repo contents, commit history, and whether the repository owner matches the publisher you trust). A mismatch between registry metadata and the SKILL.md reduces confidence. - Token scope: Create a dedicated RISK_OFFICER_TOKEN for this skill (name it "OpenClaw"), with the minimum access RiskOfficer supports, and be prepared to revoke it. Although the skill repeatedly says it "does not store or log your token," the API surface includes endpoints that create/update/delete virtual portfolios and manage broker sync; the token likely authorizes actions in your RiskOfficer account (not your broker). Treat it like an account-level secret. - Use ephemeral session env var when possible: prefer exporting RISK_OFFICER_TOKEN in the session instead of saving it in ~/.openclaw/openclaw.json. If you must save it, restrict file permissions and be aware other agents/users who can read that file gain access. - Functional limits: The service is documented as supporting only RUB and USD with CBR/MOEX FX rates. If you need EUR/other FX providers, this skill won't support them. - Test cautiously: Try read-only queries first (ticker search, list portfolios) with a limited token or test account. Confirm responses come from api.riskofficer.tech and not unexpected endpoints. - If you need higher assurance: inspect the claimed GitHub repository, verify the repo owner and release tags, and confirm the skill package on the registry matches the repo. If you cannot verify the publisher, treat the token as higher risk and limit exposure (use a separate RiskOfficer account or token).
Latest Release
v4.3.0
Sector concentration checks (max_sector_concentration, sector_limits, sector_exposures), trigger phrases in description, updated methodology docs
Popular Skills
Published by @mib424242 on ClawHub
