Stock Monitor Skill

自动监控股票价格，突破阈值时自动发送飞书语音提醒。支持多只股票、自定义阈值、交易时间判断。

Things to check before installing/using: - Verify which files actually exist in the package: SKILL.md/README mention get_price.sh, notify.sh, and config.sh but the bundle contains fetch_price.sh and monitor.sh; confirm the entry_point (scripts/monitor.sh) is the intended runner and that no missing helper scripts are required. - Inspect any send_voice.sh script you will use (the skill will call ../feishu-edge-tts/scripts/send_voice.sh if that sibling directory exists). If you rely on that, review that script to see how FEISHU_* and NOIZ_API_KEY are used. - Confirm why NOIZ_API_KEY is required and what scope/permissions that key has; avoid reusing high-privilege keys. If you don't have or trust NoizAI, test operation in a safe environment where TTS fallback (echo) is acceptable. - Run the scripts in a sandbox or isolated account first (crontab scheduling can cause repeated network activity). Check logs to ensure credentials are used only for sending alerts and not for uploading data elsewhere. - Because the package is instruction-only and uses network calls, prefer running it on a host where you can monitor outbound traffic and rotate any credentials after testing.

Type: OpenClaw Skill Name: stock-monitor-siyou Version: 2.0.0 The skill bundle provides stock monitoring functionality but contains a shell injection vulnerability in scripts/monitor.sh and scripts/fetch_price.sh. The 'stock_code' variable, read from the user-controlled stocks.conf file, is passed unsanitized into a curl command string, which could allow for arbitrary command execution. While the script's behavior is aligned with its stated purpose and no clear evidence of intentional malice or data exfiltration was found, the combination of high-risk shell operations and the requirement for sensitive environment variables (FEISHU_APP_SECRET, NOIZ_API_KEY) warrants a suspicious classification.