Prana A股财务分析助手
v1.0.4通过调用Prana平台上的远程 agent 执行 A股财务分析助手,并将结果返回给调用方
⭐ 0· 96·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required env var PRANA_SKILL_API_FLAG, and all declared network endpoints (https://claw-uat.ebonex.io) align: the skill simply proxies questions to a remote Prana/Claw agent and reads/writes a thread_id file for session continuity.
Instruction Scope
SKILL.md restricts activity to (a) calling the listed claw-uat.ebonex.io endpoints, (b) reading/writing workspace/<session_id>/prana-stock-scoring-analysis.txt for thread_id, and (c) requesting a PRANA_SKILL_API_FLAG token. It does not ask to read unrelated files or other env vars. Notes of concern: the skill requires the host/operator to create a global persistent env variable and to perform the workspace file read/write manually (the included client scripts do not write the thread file). The manual file operations are unusual and increase chance of operator error.
Install Mechanism
There is no install spec — included are only two simple client scripts (JS/Python). No downloads from third-party URLs or archives. This is a low-risk, instruction-only install footprint.
Credentials
Only one credential (PRANA_SKILL_API_FLAG) is required, which matches the declared auth header usage. However SKILL.md instructs persisting this token as a global OpenClaw env var, meaning the credential will be reusable by other skills or agent runs. If the token is shared or long-lived, that increases blast radius — prefer short-lived or per-session tokens where possible.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. The main persistence request is instructing the operator to set a global env var and to persist a per-session thread_id file. Combined with normal autonomous invocation capability, a stored API key could be used by future autonomous runs — consider this when granting the env var.
Assessment
This skill is internally consistent with its description: it sends user questions to a remote Claw/Prana agent and keeps a per-session thread_id in workspace/<session_id>/prana-stock-scoring-analysis.txt. Before installing, verify you trust the endpoint https://claw-uat.ebonex.io (it appears to be a UAT/test host and no homepage/source is provided). Do not blindly persist secrets: if you must set PRANA_SKILL_API_FLAG, prefer an explicitly scoped, revocable token and confirm how to revoke it. Because the skill asks you to store the key as a global env variable, any other skill or autonomous agent run could reuse it — use an isolated environment or ephemeral token for testing. Also confirm your workspace path handling is safe (the scripts do not write the thread_id file for you) and ensure operators follow the SKILL.md instructions precisely to avoid leaking the token or mis-associating session files. If you need higher assurance, ask the publisher for production domain documentation, token semantics (shared vs per-user), and a homepage or source repository before deploying in production.scripts/prana_skill_client.js:111
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk973gz3zx22s0tqq331mbp1g8n840xgs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.