← Back to Skills Marketplace

fund-monitor

Name: fund-monitor
Author: hongjiahao371-pixel

by hongjiahao371-pixel · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

587

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install fund-monitor

Description

基金监控Skill - 获取基金净值、涨跌数据，支持批量查询和监控

README (SKILL.md)

基金监控Skill

能力概述

本Skill用于获取基金净值、涨跌数据，支持：

单只基金查询
批量基金查询
持仓组合分析
每日涨跌播报

使用方法

1. 查询单只基金

查询 017745 基金的今日数据

2. 批量查询

查询以下基金的今日涨跌：017745, 002834, 018412

3. 持仓分析（需要提供持仓数据）

分析我的基金持仓：017745 27366元, 002834 15815元

注意事项

免费数据源可能有延迟
批量查询有频率限制
需要网络连接
支持A股公募基金（场外基金）

Usage Guidance

This skill mostly does what it says (fetches fund data), but the package contains undeclared behaviour that posts reports to a Feishu document using hard-coded credentials. Before installing or running it: - Inspect and understand the hard-coded strings: DOC_TOKEN, APP_ID, APP_SECRET appear in append-fund.js and update-feishu.js. These allow the skill to authenticate to open.feishu.cn and append content to a remote doc. - Be aware scripts read local files (e.g., /Users/js/.openclaw/workspace/fund_data.json and ~/.openclaw/workspace/skills/fund-monitor). That could expose local data to the Feishu endpoint when run. - If you need Feishu integration, prefer replacing hard-coded credentials with environment variables you control, and limit the app's permissions; do not use the embedded secrets. - Do not run run-fund-report.sh or update scripts until you confirm what will be sent and to which account; run the fund-monitor scripts in a sandboxed environment first and inspect outputs. - Ask the publisher for clarification: why Feishu credentials are embedded, who owns the Feishu doc, and whether the behaviour should be documented in SKILL.md. - If you cannot verify the origin or purpose of the embedded credentials, avoid installing or executing the reporting scripts, and consider removing the remote-posting code or replacing credentials with your own securely stored values.

Capability Analysis

Type: OpenClaw Skill Name: fund-monitor Version: 1.0.0 The skill bundle contains hardcoded sensitive credentials, including a Feishu APP_ID and APP_SECRET, in both append-fund.js and update-feishu.js. There is a significant file type mismatch where append-fund.js contains Python code despite its extension, and multiple scripts reference hardcoded absolute file paths tied to a specific local user environment (/Users/js/). While the logic appears aligned with the stated purpose of fund monitoring, the inclusion of active API secrets and environment-specific paths is a high-risk practice that could lead to credential exposure or execution failures.

Capability Assessment

⚠ Purpose & Capability

The Python scripts fetch fund data from expected public sources (eastmoney) which matches the skill description. However, multiple files (append-fund.js, update-feishu.js, run-fund-report.sh) implement automatic posting to a Feishu document using hard-coded DOC_TOKEN, APP_ID, and APP_SECRET. SKILL.md does not mention Feishu integration or automatic posting, so these external-reporting capabilities are undeclared and disproportionate to the stated usage examples.

⚠ Instruction Scope

SKILL.md shows only query and analysis commands and mentions '每日涨跌播报' but does not instruct the agent to read local files or push data to Feishu. The included scripts (append-fund.js, update-feishu.js, run-fund-report.sh) read local data (/Users/js/.openclaw/workspace/fund_data.json and workspace paths) and send parsed results to open.feishu.cn. That means data produced or present on the host may be transmitted to an external endpoint not described in the runtime instructions.

✓ Install Mechanism

There is no network download/install step included (instruction-only with bundled code files). No external install URLs or archive extraction are used. The presence of multiple runnable scripts is expected for a skill with local reporting behavior.

⚠ Credentials

The skill metadata declares no required environment variables or credentials, but the code embeds plaintext Feishu credentials (DOC_TOKEN, APP_ID, APP_SECRET) in both append-fund.js and update-feishu.js. Embedding credentials rather than declaring them as required env vars is inconsistent and risky. The scripts will use these credentials to authenticate to Feishu and append data to a remote document.

✓ Persistence & Privilege

The skill is not configured with always:true and does not request elevated platform privileges. However, run-fund-report.sh and run_fund.sh are present and, if executed by the agent or scheduled externally, will cause automatic remote updates. Autonomous model invocation is allowed by default (not a specific issue unless combined with the other red flags).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install fund-monitor
After installation, invoke the skill by name or use /fund-monitor
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of fund-monitor skill. - 提供基金净值及涨跌幅查询，支持单只或批量查询 - 支持基金持仓组合分析 - 可进行每日基金涨跌播报 - 使用需注意数据延迟与查询频率限制 - 支持A股公募基金（场外基金）

Metadata

Slug fund-monitor

Version 1.0.0

License MIT-0

All-time Installs 4

Active Installs 4

Total Versions 1

Frequently Asked Questions

What is fund-monitor?

基金监控Skill - 获取基金净值、涨跌数据，支持批量查询和监控. It is an AI Agent Skill for Claude Code / OpenClaw, with 587 downloads so far.

How do I install fund-monitor?

Run "/install fund-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is fund-monitor free?

Yes, fund-monitor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does fund-monitor support?

fund-monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created fund-monitor?

It is built and maintained by hongjiahao371-pixel (@hongjiahao371-pixel); the current version is v1.0.0.

More Skills