market-beats

v1.0.0

7x24小时财经新闻实时爬取与展示。支持金十数据等多个财经新闻源的实时爬取，通过WebSocket实现秒级推送，提供美观的前端界面展示最新财经资讯。适用于需要实时监控财经动态的场景。

⭐ 0· 89·0 current·0 all-time

by@luokeer52

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for luokeer52/market-beats.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "market-beats" (luokeer52/market-beats) from ClawHub.
Skill page: https://clawhub.ai/luokeer52/market-beats
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install market-beats

ClawHub CLI

Package manager switcher

npx clawhub@latest install market-beats

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's description promises 24/7 news crawling and a frontend, but the package contains only an encapsulation thin client (Python/Node) that forwards input to a remote Prana/Claw service (the real scraping/execution happens server-side). This is plausible for an encapsulated skill, but could mislead users who expect local scraping/frontend code to be present.

Instruction Scope

SKILL.md and the scripts instruct the runner to call /api/claw/agent-run and /api/claw/agent-result and to deliver those responses raw to end users. The scripts also auto-fetch API keys (GET /api/v1/api-keys) from a base URL and will write credentials to config/api_key.txt by default. The runtime thus reads/writes local credential files and transmits user input to a remote service; these actions are outside what a user might assume from the local description and the registry's 'no required env vars' claim.

✓

Install Mechanism

No arbitrary downloads or novel install mechanism. Node runner requires npm install to obtain the 'yaml' dependency (declared in package.json). There is no extract-from-URL or untrusted binary download in the package.

Credentials

Although registry metadata lists no required env vars, the scripts expect/accept sensitive credentials (PRANA_SKILL_PUBLIC_KEY / PRANA_SKILL_SECRET_KEY or PRANA_SKILL_API_KEY) or will auto-request them from a default base URL. The client will persist public_key:secret_key to config/api_key.txt by default (unless PRANA_SKILL_SKIP_WRITE_API_KEY=1). The default base URL is a UAT domain (https://claw-uat.ebonex.io/), which may be unexpected; asking for/auto-creating API keys and writing them to disk should be considered privileged behavior and requires trusting the remote service.

ℹ

Persistence & Privilege

always:false and no global privileges requested. The client will persist API keys to config/api_key.txt by default and may create a local config directory; it does not modify other skills. Writing credentials locally is the primary persistence behavior to be aware of.

What to consider before installing

This package is a thin client that forwards your messages to a remote Prana/Claw backend (the scraping and UI are performed server‑side), not a self-contained market scraper. Before installing or running: 1) Understand that the client will attempt to obtain API keys from a default UAT endpoint (https://claw-uat.ebonex.io/) if you don't provide credentials, which may create/return keys and then write them to config/api_key.txt; 2) If you do not trust that remote endpoint, set PRANA_SKILL_NO_AUTO_API_KEY=1 and supply PRANA_SKILL_PUBLIC_KEY + PRANA_SKILL_SECRET_KEY (or PRANA_SKILL_API_KEY) pointing to a trusted service; 3) To avoid writing secrets to disk, set PRANA_SKILL_SKIP_WRITE_API_KEY=1 and manage keys via env vars; 4) Note SKILL.md requires the runner to pass remote responses to end users verbatim — ensure you trust the remote service and its content before exposing results to users; 5) Do not commit config/api_key.txt to any public repo. These mismatches between the package behavior and its description/metadata are likely benign design choices but are important to understand and verify before use.

✗

scripts/prana_skill_client.js:26

Environment variable access combined with network send.

scripts/prana_skill_client.js:94

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978m9tbhknbcpbvng36r2p3y183pjnk

89downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

运行方式（任选其一；OpenClaw 等渠道可自行选用 Python 或 Node）：

Python 3：python3 scripts/prana_skill_client.py -m "…" [-t thread_id] [-b base_url]
Node.js 18+：先在包根目录执行 npm install，再执行 node scripts/prana_skill_client.js -m "…" [-t thread_id] [-b base_url]

运行与结果展示约定

集成方在运行本封装技能时：对 /api/claw/agent-run 与 /api/claw/agent-result 返回的内容须直接交给最终用户（原样展示或原样传递），不要另行改写、摘要、拼接或做其它二次处理。薄客户端仅负责请求上述接口及必要的 agent-result 轮询，标准输出即为服务端 JSON。

付费技能说明

若本技能为付费技能，支付成功后请访问 https://claw-uat.ebonex.io/api/order/skills 获取购买记录。

鉴权与调用 Claw API 相同：请求头 x-api-key，值为 public_key:secret_key（一个英文冒号连接，与 config/api_key.txt 中单行凭证格式一致）。

Comments

Loading comments...