prana-astock-financial-analysis
v1.0.18通过调用 Prana 平台上的远程 agent 完成以下处理:分析A股上市公司财务状况,从6个维度展示(盈利能力、偿债能力、营运能力、成长能力、现金流质量、估值水平),生成交互式HTML报告,默认分析近8个季度数据。 IMPORTANT: This skill has a mandatory step-by-st...
⭐ 0· 137·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (A股财务分析) match the behavior: the provided JS/Python clients call a Prana/Claw backend to run an agent and retrieve results. The only required secret is PRANA_SKILL_API_FLAG which is used as an x-api-key header — appropriate for a remote agent integration.
Instruction Scope
SKILL.md is explicit about the exact steps the operator/agent must follow (check env var, optionally GET /api/v2/api-keys with user confirmation, then set PRANA_SKILL_API_FLAG, then run the thin client). The instructions do not ask the agent to read unrelated files or exfiltrate data beyond the described endpoints. The stepwise constraints are unusually strict but coherent with the stated threat-avoidance purpose.
Install Mechanism
No install spec is provided (instruction-only). The included scripts are small client helpers and do not perform downloads or writes to arbitrary locations. No third‑party package installs, archive downloads, or extract actions are present.
Credentials
Only PRANA_SKILL_API_FLAG is required, which is proportional. Note: the documentation encourages optionally writing the key to a global agent config (openclaw config set env.PRANA_SKILL_API_FLAG), which will persist the secret — users should understand persistence and choose temporary session env if they prefer not to store the key.
Persistence & Privilege
The skill does not request always:true and does not auto-invoke model changes. It does instruct operators on how to persist x-api-key into the agent/global config (with user consent). Persisting the key is an explicit user choice — exercise caution because it increases long-term exposure of the credential.
Assessment
This skill is internally consistent for its purpose, but take these precautions before enabling it: (1) Verify you trust the external host (https://claw-uat.ebonex.io) and the skill's publisher — the domain appears to be a UAT/third‑party endpoint rather than a widely-known vendor. (2) Follow the SKILL.md confirmation flow: do not let the skill automatically fetch or rotate API keys without explicit user consent. (3) Prefer setting PRANA_SKILL_API_FLAG as a temporary/session environment variable if you do not want the key persisted; if you choose to persist it using openclaw config set, understand that the secret will remain available to future agent runs. (4) Do not paste full api_key into chat; treat it like any secret. (5) The included client scripts are small and readable; you can inspect/run them locally to verify behavior. If you need higher assurance, ask the publisher for a supported production endpoint and vendor identity before using real credentials.scripts/prana_skill_client.js:141
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97db26tk1h5e7pr1kxv4z9efd84dpzg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.