PRISM OS SDK
v0.1.2Financial data SDK for AI Agents. 218+ read-only endpoints for market data, prices, fundamentals. Built for Cursor, Claude, OpenClaw. Data retrieval only.
⭐ 0· 681·2 current·2 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and README repeatedly state 'read-only' and 'no wallet access / no trading execution'. However the bundle contains execute/dex modules, architecture docs and example code that reference quote simulation, dex.executeSwap, execute.* flows returning txHash, and integration patterns that auto-register many tools. This is an incoherence: a read-only SDK normally wouldn't include execution modules or examples that show producing txHash/executeSwap. The PRISM_API_KEY alone is plausible for read-only data, but the presence of execute functionality is not justified by the SKILL.md claims.
Instruction Scope
The runtime instructions (SKILL.md) are scoped to fetching market data and ask only for PRISM_API_KEY. They instruct installing the npm package and show read-only calls. But the repository files and examples call onchain and execute endpoints (getTopHolders, simulate/execute swap, risk.simulateTx, dex.executeSwap with signer), which extend scope beyond purely fetching public data. The SKILL.md does not disclose how execute methods behave or whether they can accept signer objects / trigger transactions.
Install Mechanism
No install spec in the skill manifest (instruction-only), and SKILL.md suggests 'npm install prism-finance-os' — a standard public install method. The bundle includes package.json and full source files, not an opaque remote download. This is lower risk than arbitrary URL installs, but you should still verify the npm package source and package.json dependencies before installing.
Credentials
Only PRISM_API_KEY is required and declared as the primary credential — this is proportional for a data SDK. There are no required env vars that obviously exceed the stated purpose. However, if you plan to use execute features, additional secrets (wallet/private keys, provider API keys) could be needed in practice; SKILL.md does not request them but code paths suggest such inputs may be accepted at runtime.
Persistence & Privilege
The skill does not request always:true and defaults are standard (user-invocable, model invocation allowed). There are no install-time behaviors in SKILL.md that modify other skills or system-wide settings. Autonomous invocation combined with the execute-capable code increases blast radius, but autonomy alone is expected platform behavior.
What to consider before installing
This package mostly looks like a comprehensive market-data SDK and correctly asks only for PRISM_API_KEY. The red flag is inconsistency: SKILL.md promises read-only behavior, but the repository and examples include 'execute' modules, simulate/execute flows, and references to swap execution that could accept a signer and produce transaction hashes. Before installing or enabling autonomous use: 1) Inspect src/modules/execute (and any onchain/dex files) to confirm they are truly simulation-only and do not send transactions or accept private keys. 2) Review package.json and package-lock for third-party dependencies and any postinstall scripts. 3) Verify the npm package and GitHub repo (authenticity and recent commits) match the published package. 4) Do not provide private keys or wallet mnemonics to the skill; if you need execution, prefer explicit signer objects you control in a sandbox. 5) If you want a safer setup, restrict autonomous invocation (disable model invocation for this skill) until you audit the execute functionality. If you want, I can scan specific source files (e.g., src/modules/execute/index.ts and any files that reference signer/wallet or external webhook URLs) and summarize exactly where execution or outbound side-effects occur.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
EnvPRISM_API_KEY
Primary envPRISM_API_KEY
SKILL.md
PRISM Finance OS
Financial Data SDK for AI Agents
Read-only market data SDK. 218+ endpoints for prices, fundamentals, and analytics.
Security Notes
- Read-only API — fetches public market data only
- No wallet access — does not interact with wallets or private keys
- No trading execution — execute modules are for quote simulation only, not live trades
- Data only — returns JSON market data for analysis
- API key required — set
PRISM_API_KEYenvironment variable
Quick Start
npm install prism-finance-os
import PrismOS from 'prism-finance-os';
const prism = new PrismOS({ apiKey: process.env.PRISM_API_KEY });
// Get crypto price
const btc = await prism.crypto.getConsensusPrice('BTC');
// Get stock fundamentals
const aapl = await prism.stocks.getFundamentals('AAPL');
// Get DeFi protocol TVL
const tvl = await prism.defi.getProtocolTVL('aave');
Required Environment Variable
export PRISM_API_KEY=your_api_key_here
Get your free API key at api.prismapi.ai
Data Categories
| Category | Examples |
|---|---|
| Crypto Prices | BTC, ETH, SOL prices across exchanges |
| Stock Data | Fundamentals, earnings, financials |
| DeFi Analytics | Protocol TVL, yields, stablecoin supply |
| Macro Data | Fed rates, inflation, GDP (via FRED) |
| Technical Analysis | RSI, MACD, moving averages |
| News & Sentiment | Market news with sentiment scores |
Links
License
MIT License - see LICENSE
Files
30 totalSelect a file
Select a file to preview.
Comments
Loading comments…