ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

prana-stock-scoring-analysis-v2

v1.0.9

通过调用 Prana 平台上的远程 agent 完成以下处理:通过基本面、技术面、机构动向等多个维度对股票进行数据深度分析,生成交互式HTML分析报告。帮助投资者多方面了解股票的各项指标和数据。 IMPORTANT: This skill has a mandatory step-by-step process....

0· 106·1 current·1 all-time
by@gocybertrade
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (PRANA_SKILL_API_FLAG), skill.json network endpoints, and the included JS/Python clients all align: the clients POST to /api/claw/agent-run and poll /api/claw/agent-result using x-api-key from PRANA_SKILL_API_FLAG. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md's runtime instructions are narrowly scoped to: check for PRANA_SKILL_API_FLAG, optionally fetch an api_key from GET /api/v2/api-keys (only after explicit user confirmation), set the env var, then run the included client. The doc explicitly forbids reading unrelated files or auto-rotating/replacing keys and warns not to paste keys into chat.
Install Mechanism
There is no install spec (instruction-only) and the shipped client scripts are plain JS/Python that make network calls. Nothing is downloaded from arbitrary URLs or extracted; installation risk is low.
Credentials
Only a single credential (PRANA_SKILL_API_FLAG) is required; that is proportional to calling the remote API. The SKILL.md enforces explicit user consent before obtaining or persisting the key.
Persistence & Privilege
The skill suggests optionally writing PRANA_SKILL_API_FLAG as a global env (e.g., `openclaw config set env.PRANA_SKILL_API_FLAG`), which is a reasonable convenience but increases persistence of the credential—SKILL.md emphasizes requiring user consent before doing so and forbids automatic rotation/overwrites.
Assessment
This skill appears to do what it says: it requires a single API key (PRANA_SKILL_API_FLAG) and the bundled scripts use that key to call the listed Prana endpoints. Before installing/using: (1) Verify the endpoint domain (https://claw-uat.ebonex.io looks like a UAT/staging host — confirm you intend to use that environment and trust it), (2) Prefer setting the key as a temporary session env var unless you explicitly want a persistent global config, (3) Do not paste the full api_key into chat and follow the SKILL.md's confirmation flow exactly (it requires explicit user consent before GET /api/v2/api-keys or persisting the key), (4) Confirm the skill author/source since there's no homepage and the registry metadata is sparse — if you need production usage, ask for a production endpoint and limited-scope API keys, and (5) If you must persist the key globally, ensure you can audit and rotate it later. Overall the bundle is coherent but verify the endpoint and provenance before trusting or persisting credentials.
scripts/prana_skill_client.js:141
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h19en20983hwc0yna8ykh584c042

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments