Gprophet Api
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only integration for a paid stock-analysis API, with the main cautions being API-key billing, optional external SDK/MCP installs, and callback data sharing.
Before installing, make sure you are comfortable giving the agent access to a G-Prophet API key for billable market-analysis calls. Set quotas or use a limited/test key, monitor account usage, verify any optional SDK/MCP package before installing it, and only configure webhook callbacks to endpoints you control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent makes unnecessary or repeated calls, it can consume paid points or quota.
The skill requires an API key that authorizes billable calls to the G-Prophet account. This is expected and disclosed for the stated purpose, but it gives the agent access to a paid account resource.
| Authentication | `X-API-Key` header | ... | Billing | Points-based, each call consumes corresponding points |
Use a limited or test key where possible, set daily/monthly quotas, monitor usage, and confirm higher-cost analysis requests before running them.
Installing or running the optional package gives that package local execution and, in the MCP example, access to the GPROPHET_API_KEY environment variable.
The optional SDK and MCP setup pull and run an external package that is not included in the artifact set and is not version-pinned. This is common for SDK/MCP integrations, but users should verify the package source.
pip install gprophet ... "command": "uvx", "args": ["--from", "gprophet", "gprophet-mcp"]
Install only from the official package source, consider pinning a known version, and avoid placing real API keys directly in shared configuration files.
If a callback URL is incorrect or not controlled by the user, market analysis results or related request context could be delivered to the wrong endpoint.
The artifacts disclose a callback flow where analysis results can be sent to a URL. This appears purpose-aligned, but it is a data boundary users should configure carefully.
- **Webhook Callbacks**: Analysis endpoints accept `callback_url` parameter; results are POSTed on completion
Use only HTTPS callback URLs you control, do not include secrets in callback URLs, and avoid callbacks unless needed.