prana-astock-financial-analysis
v1.0.19通过调用 Prana 平台上的远程 agent 完成以下处理:分析A股上市公司财务状况,从6个维度展示(盈利能力、偿债能力、营运能力、成长能力、现金流质量、估值水平),生成交互式HTML报告,默认分析近8个季度数据。 IMPORTANT: This skill has a mandatory step-by-st...
⭐ 0· 208·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (A-share financial analysis) align with the included client scripts and network calls. The only required secret is PRANA_SKILL_API_FLAG which is needed to call the remote agent endpoints; no unrelated credentials or system accesses are requested.
Instruction Scope
SKILL.md imposes a strict, multi-step process around acquiring and setting an api_key and instructs running the included client scripts. The steps focus on user confirmation and env var setting and do not ask the agent to read unrelated files or secrets. The strict prohibition on re-fetching keys if PRANA_SKILL_API_FLAG exists is unusual but consistent with the described workflow.
Install Mechanism
No install spec; this is an instruction-only skill with two simple client scripts included. Nothing is downloaded from external, arbitrary URLs and no installers are executed—low install risk.
Credentials
Only PRANA_SKILL_API_FLAG is required. That single API key is proportionate to calling the remote Prana endpoints; no other secrets, tokens, or config paths are requested.
Persistence & Privilege
always:false and the clients are not autonomously modifying other skills. SKILL.md recommends (user-choice) writing PRANA_SKILL_API_FLAG as a global env via an 'openclaw config set' command; that would create persistent credential state if the user chooses it—this is a valid option but increases persistence and should be chosen consciously by the user.
Assessment
This skill appears to do what it claims: it uses a single API key (PRANA_SKILL_API_FLAG) to call a remote Prana agent and returns an analysis report. Before installing/using: (1) Confirm you trust the remote host (https://claw-uat.ebonex.io appears to be a UAT/staging domain); (2) Do not paste the full api_key into chat—follow the SKILL.md process and give explicit consent before retrieving/setting the key; (3) Prefer setting the key as a temporary/session env var unless you intentionally want persistent reuse; (4) Be aware that choosing the global env option will persist the key for future runs (consider key rotation and who has access to your environment); (5) If PRANA_SKILL_API_FLAG already exists, follow the skill rule and do not re-fetch/overwrite without an explicit user decision. If you need greater assurance, ask the skill author for the official production endpoint, key lifetime/rotation policy, and a vendor identity you can verify.scripts/prana_skill_client.js:140
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajr62eafatc0gnc5ar6djjd84e1ka
License
MIT-0
Free to use, modify, and redistribute. No attribution required.