prana-stock-scoring-analysis-v2

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Prana remote stock-analysis client that uses an API key and sends the user's analysis prompt to the declared service.

Install only if you trust Prana/ebonex.io with your stock-analysis prompts and this API key. Avoid including account details, private trading strategies, payment data, or other sensitive personal information; prefer temporary key storage if you do not want the credential persisted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends arbitrary user-supplied `question` content to a third-party remote endpoint (`/api/claw/agent-run`) using an API key, but it does not provide any explicit notice, consent gate, redaction guidance, or data classification check before transmission. In a stock-analysis skill, users may paste sensitive trading strategies, account details, internal research, or other confidential material, so silent external transmission creates a real data-leakage and privacy risk even if the network call is functionally intended.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal