← Back to Skills Marketplace
335
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install ashare-fast-watcher
Description
A-Share millisecond-level market data watcher using Tencent direct API.
README (SKILL.md)
Ashare Fast Watcher
A high-performance skill to monitor A-Share market movements.
Actions
get_market_snapshot
Fetches real-time price, change, volume, and Level-1 quotes.
Parameters
codes: (Required) String. Stock codes with prefix, e.g., "sh600519,sz000001".
check_volatility
Detects sudden volume spikes or price movements.
Parameters
code: (Required) String. Single stock code.
Usage Guidance
What to check before installing/running: 1) Confirm the author/source — repository metadata and homepage are missing. 2) Ask the publisher to explain how SKILL.md actions (get_market_snapshot, check_volatility) map to the included scripts; the mismatch could be sloppy packaging. 3) Run code in an isolated environment (container/VM) because daemon.py runs an infinite loop and calls os.system to execute osascript (macOS). 4) If you will use the notification feature, review/adjust notify_mac to avoid shell invocation or better escape single quotes (current code only replaces double quotes). 5) Install and audit required Python packages (requests, akshare, pandas); requirements.txt is empty so dependencies are undeclared. 6) If you need cross‑platform behavior, note the macOS-only notifier and either disable it or add an OS check. If you cannot verify the author or fix the above inconsistencies, treat the skill as untrusted and avoid running it on production systems or systems with sensitive data.
Capability Analysis
Type: OpenClaw Skill
Name: ashare-fast-watcher
Version: 1.0.1
The skill bundle contains a command injection vulnerability in daemon.py within the notify_mac function. It uses os.system to execute osascript for macOS notifications using market data fetched from the Tencent API (qt.gtimg.cn) without sanitizing single quotes, which could allow arbitrary code execution if the API response is compromised. While the overall logic in index.py and radar.py aligns with the stated purpose of A-Share market monitoring and uses legitimate libraries like akshare, the insecure implementation of system-level notifications is a high-risk flaw.
Capability Assessment
Purpose & Capability
The code queries the Tencent qt.gtimg.cn API and performs bond/ETF scanning (consistent with a market watcher). However the SKILL.md declares actions named get_market_snapshot and check_volatility that do not map directly to the functions in index.py/daemon.py/radar.py (those files implement analyze_bond_linkage, analyze_etf_premium, a long‑running daemon, and akshare scans). Also the daemon implements a macOS-only notifier (osascript) but the skill metadata does not declare an OS restriction.
Instruction Scope
SKILL.md provides only two high-level actions but the repository contains runnable scripts (a perpetual daemon, index analyzer, and akshare scanners). daemon.py uses os.system to call osascript for notifications (executes shell commands), building the command from remote data with only limited escaping — this creates a potential command/argument injection vector if untrusted strings are used. The code also performs network calls to external APIs (expected) but SKILL.md does not document how the agent will invoke these scripts or map the declared actions to the code entrypoints.
Install Mechanism
There is no install spec (instruction-only), but the code imports third‑party packages (requests, akshare, pandas). requirements.txt is empty, so required dependencies are not declared — this is inconsistent and will cause runtime failures unless the environment already has these packages. No remote downloads or installers are present (low install risk), but missing dependency declarations are a usability/integrity issue.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a read‑only market watcher that calls public APIs. No unrelated secrets are requested.
Persistence & Privilege
The skill is not forced-always and allows model invocation (defaults). It does include a long-running daemon script (daemon.py) that loops indefinitely when executed; that is normal for a watcher but the SKILL.md does not explain the runtime model (whether the agent should run the daemon). The macOS notifier and infinite loop are behaviors to be aware of before running.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ashare-fast-watcher - After installation, invoke the skill by name or use
/ashare-fast-watcher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Introduced new components: daemon.py and radar.py for expanded functionality.
- Updated index.py to support changes and integrations with new modules.
- Lays groundwork for background processing and advanced monitoring features.
v1.0.0
Initial release of ashare-fast-watcher.
- Provides millisecond-level monitoring of A-Share market data via Tencent direct API.
- Supports fetching real-time price, change, volume, and Level-1 quotes for specified stock codes.
- Includes volatility detection for sudden volume spikes or price movements.
Metadata
Frequently Asked Questions
What is Ashare Fast Watcher?
A-Share millisecond-level market data watcher using Tencent direct API. It is an AI Agent Skill for Claude Code / OpenClaw, with 335 downloads so far.
How do I install Ashare Fast Watcher?
Run "/install ashare-fast-watcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Ashare Fast Watcher free?
Yes, Ashare Fast Watcher is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Ashare Fast Watcher support?
Ashare Fast Watcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Ashare Fast Watcher?
It is built and maintained by kenswj (@kenswj); the current version is v1.0.1.
More Skills