← Back to Skills Marketplace
330
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zack995-akshare
Description
Use AKShare for Chinese market and macro-finance data via Python. Use when the user asks for A股、港股、美股、ETF、基金、指数、宏观、利率、债券、期货、商品、分红、财务 or other public-market d...
Usage Guidance
This skill does what it says (install AKShare and run queries) but the helper executes whatever Python expression you pass. That means a crafted expression could read local files, environment variables (including secrets), or perform network requests. Before installing or allowing the agent to invoke this skill autonomously: 1) Only use it if you trust the skill author and the environment where the venv will run. 2) Consider running the bootstrap and evaluation commands manually in an isolated sandbox (container or dedicated VM). 3) If you need to allow automated use, request or implement a safer evaluator that restricts builtins and blocks __import__/os/subprocess or only accepts pre-validated AKShare function calls. 4) Do not supply sensitive credentials to the agent when using this skill. If you want, ask the maintainer to replace eval with a safe execution model (e.g., whitelist of AKShare functions or AST-based expression validation).
Capability Analysis
Type: OpenClaw Skill
Name: zack995-akshare
Version: 0.1.0
The skill contains a significant security vulnerability in 'scripts/akshare_eval.py', which uses the 'eval()' function to execute arbitrary Python code passed via the '--expr' argument. While this is a common (though risky) pattern for allowing an AI agent to execute dynamic data-fetching commands, it creates a Remote Code Execution (RCE) surface. The 'scripts/bootstrap_akshare_env.sh' script performs standard environment setup, and the overall functionality is consistent with the stated goal of fetching financial data via the AKShare library, but the lack of input sanitization in the execution script warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name and description match the included code: the scripts bootstrap a venv and run AKShare queries. However, the provided helper intentionally accepts arbitrary Python expressions (via eval), which gives broader execution capability than a narrow 'AKShare-only' fetcher.
Instruction Scope
SKILL.md instructs the agent to run scripts that call akshare_eval.py with a user-supplied --expr. akshare_eval.py uses Python's eval with {'__builtins__': __builtins__} and exposes ak, pd, json in globals — this allows arbitrary Python execution (including __import__, os, subprocess, reading files, environment access, and network calls). The documentation does not warn about or constrain arbitrary code execution or exfiltration risk.
Install Mechanism
The bootstrap script uses a local Python venv and pip to install akshare from PyPI; this is a conventional and expected install method for a Python data library and does not download arbitrary archives or external binaries.
Credentials
The skill declares no required environment variables (correct for its purpose), but runtime allows arbitrary expressions that can access os.environ or other secrets present in the agent environment. The bootstrap script permits overriding PYTHON_BIN and AKSHARE_VENV (benign), but there is no mitigation against expressions reading or exfiltrating environment variables or other local files.
Persistence & Privilege
The skill does not request permanent 'always' presence and does not modify other skills or global agent configuration. It only creates a venv in a user-writable path by default.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zack995-akshare - After installation, invoke the skill by name or use
/zack995-akshare - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial public release: bootstrap installer, query helper, GitHub homepage, and maintainer links.
Metadata
Frequently Asked Questions
What is AKShare?
Use AKShare for Chinese market and macro-finance data via Python. Use when the user asks for A股、港股、美股、ETF、基金、指数、宏观、利率、债券、期货、商品、分红、财务 or other public-market d... It is an AI Agent Skill for Claude Code / OpenClaw, with 330 downloads so far.
How do I install AKShare?
Run "/install zack995-akshare" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is AKShare free?
Yes, AKShare is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does AKShare support?
AKShare is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created AKShare?
It is built and maintained by Zack995 (@zack995); the current version is v0.1.0.
More Skills