Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
100-indicators-analysis
v1.0.1基于100个热门TradingView Pine Script指标转换的Python技术分析工具集,提供专业的技术指标计算、分析和可视化功能
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description advertises a local Python toolkit for 100 TradingView indicators, but the package contains no business logic — only a thin Prana client that forwards user input to a remote skill. The README and SKILL.md do state the wrapper nature, but the registry-level description (name/description) is misleading for users who expect a self-contained local library.
Instruction Scope
Runtime instructions and the client script forward user messages to remote endpoints (/api/claw/agent-run) and may automatically call GET /api/v1/api-keys to obtain API credentials. The client reads SKILL.md to obtain the remote skill_key, reads/writes files in config/, and accesses several environment variables (NEXT_PUBLIC_URL, ACCOUNT_ID, EMAIL, PHONE_NUMBER, PRANA_SKILL_* flags). Forwarding user content and context to an external service is required for remote execution but is a privacy/exfiltration surface the user should be aware of; the automatic credential-fetching and retry logic increases surprise/impact.
Install Mechanism
No install spec; this is an instruction/thin-client package with no arbitrary archive downloads or third-party installers. The code present is a small Python client, which is low install risk compared to remote installers.
Credentials
The skill declares no required env vars but the client uses many optional env vars (NEXT_PUBLIC_URL, PRANA_SKILL_PUBLIC_KEY, PRANA_SKILL_SECRET_KEY, PRANA_SKILL_API_KEY, ACCOUNT_ID, EMAIL, PHONE_NUMBER and control flags like PRANA_SKILL_NO_AUTO_API_KEY, PRANA_SKILL_SKIP_WRITE_API_KEY). The client will by default auto-fetch API keys and persist them to config/api_key.txt (and optionally api_key.json), which stores secret material on disk unless the user opts out with env flags — this is more persistent and higher-privilege than the registry metadata indicates.
Persistence & Privilege
always:false (good). skill.yaml requests network and filesystem permissions which match the client behavior. The client persists API keys to config/ by default, which is a persistent artifact but not an elevation of agent-wide privileges. There's no evidence it modifies other skills' configurations.
What to consider before installing
This package is a thin client that forwards user input to a remote Prana service rather than providing a local Python implementation of the 100 indicators. Before installing, consider:
- If you expect local, offline analysis, do NOT install — this sends your prompts (and any data included in them) to a remote server.
- The client will attempt to auto-create/fetch an API key (GET /api/v1/api-keys) and by default will write public_key:secret_key to config/api_key.txt; if you don't want secrets written to disk set PRANA_SKILL_SKIP_WRITE_API_KEY=1 and/or PRANA_SKILL_NO_AUTO_API_KEY=1 and supply credentials via PRANA_SKILL_PUBLIC_KEY and PRANA_SKILL_SECRET_KEY instead.
- Confirm the NEXT_PUBLIC_URL (default https://www.prana.chat/) if you plan to use the remote service — you can override with NEXT_PUBLIC_URL to a trusted host or run in mock mode (PRANA_SKILL_MOCK=1) for offline testing.
- Review scripts/prana_skill_client.py yourself (it is short and readable) and run it in a sandboxed environment if you need to evaluate behavior.
- If you are uncomfortable with network calls or persistent secrets being created/stored automatically, treat this skill as untrusted and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk972k5x7qxv7kevp6kmp1v90rh83m1qn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.