prod-astock-financial-analysis-v2
v1.0.1通过调用 Prana 平台上的远程 agent 完成以下处理:分析A股上市公司财务状况,从6个维度展示(盈利能力、偿债能力、营运能力、成长能力、现金流质量、估值水平),生成交互式HTML报告,默认分析近8个季度数据。 IMPORTANT: This skill has a mandatory step-by-st...
⭐ 0· 96·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared network endpoints, skill.json, and the two client scripts all consistently target the Prana service (https://www.prana.chat) to run a remote agent for financial analysis. Requiring PRANA_SKILL_API_FLAG is proportional to this purpose; no unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md prescribes an explicit stepwise flow (check PRANA_SKILL_API_FLAG, obtain api_key via GET /api/v2/api-keys with explicit user consent, then set env var, then run bundled client scripts). That scope is consistent with using a remote service, but the flow will transmit user query/prompt data to prana.chat (expected for remote processing). The strict rules about not re-fetching keys and not pasting full keys into chat are unusual but align with protecting keys; they do not indicate hidden exfiltration. Users should be aware that analysis inputs (company names, any pasted financial data) will leave their machine and be processed remotely.
Install Mechanism
No install spec or external downloads are present; the skill is instruction-only with two small local client scripts that use standard HTTP calls. No archives, shorteners, or third‑party package installs are invoked by the skill itself.
Credentials
Only PRANA_SKILL_API_FLAG is required and is used as the x-api-key header for prana.chat calls. That single credential is proportionate to the stated remote-agent integration. The SKILL.md emphasizes obtaining explicit consent before creating or persisting the key.
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills. The documentation recommends (with user consent) writing PRANA_SKILL_API_FLAG as a global env/config value for convenience — this is a persistent secret that the operator must consciously choose to store; storing a long-lived key globally increases persistence and blast radius if the environment is shared.
Assessment
This skill appears to do what it claims: it sends your analysis request to prana.chat and requires a single API key (PRANA_SKILL_API_FLAG). Before installing or running it: (1) confirm you trust the external service at https://www.prana.chat, since your queries (company names and any pasted financial data) will be transmitted; (2) follow the SKILL.md step rules exactly — obtain explicit user consent before fetching a key and choose whether to set the key only for the session or persist it globally; (3) prefer a temporary/session env var if you are concerned about storing secrets broadly; and (4) do not paste full API keys into chat or public logs. If you want higher assurance, ask the skill author for an auditable provenance of the prana.chat endpoints or run the bundled client scripts in an isolated environment first.scripts/prana_skill_client.js:140
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk977n710vgbf9qgrmbp6dg1h6d84kax8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.