← Back to Skills Marketplace
batype

Astock Daily

by batype · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
626
Downloads
1
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install astock-daily
Description
Daily emails listing recent A-share IPOs and selected stocks priced under 20 yuan, including key trading details.
README (SKILL.md)

A 股每日精选技能

描述

每日获取 A 股新股发行信息和 20 元以下的精选股票,通过邮件发送给用户。

激活方式

当用户提到 A 股、新股、股票筛选、低价股时激活此技能。

配置

TOOLS.md 中添加以下配置:

### A 股股票技能

- 邮箱:[email protected]
- 价格上限:20 元
- 发送时间:每天 09:00

使用方法

手动运行

node skills/astock-daily/index.js

定时运行

通过 cron 或 OpenClaw 的 heartbeat 功能每天运行。

数据源

  • 东方财富网 API(新股发行)
  • 新浪财经 API(股票行情)

输出

邮件包含:

  1. 近期新股发行列表(代码、名称、申购日期、发行价)
  2. 20 元以下精选股票(代码、名称、现价、涨跌幅、成交量)
Usage Guidance
This package performs more privileged and sensitive actions than the registry metadata claims. Before installing or running it: 1) Inspect and remove any hard-coded credentials (test-smtp.js) and never run with those credentials; create a dedicated SMTP account/authorization for this skill. 2) Do not blindly run fix-hosts.sh or any script that uses sudo — examine the exact hosts entries and only apply them if you trust the source and understand the change. 3) Prefer exporting SMTP_CONFIG at runtime rather than adding it to ~/.zshrc/rc files; keep secrets out of checked-in files. 4) Run npm install only after reviewing package.json and package-lock.json; verify dependencies come from a trusted registry. 5) If you want to test, run the code in an isolated environment (container or VM) and avoid adding cron jobs until you confirm behaviour. The inconsistencies (metadata vs code) and embedded plaintext password are red flags — treat this as potentially unsafe until you remediate those issues.
Capability Analysis
Type: OpenClaw Skill Name: astock-daily Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities, despite their stated purpose. It prompts for and stores SMTP credentials (email and password/auth code) in plain text in `.env` files and potentially shell configuration files (`.zshrc`, `.bashrc`). The `fix-hosts.sh` script performs privileged operations by modifying `/etc/hosts` using `sudo`. The `index.js` and `send-mail-applescript.js` files use `child_process.exec` to run system commands (`sendmail`, `osascript`), which could be vulnerable to injection if the content were not carefully controlled. Additionally, the `nodemailer` configuration in `index.js` and `test-smtp.js` uses `tls: { rejectUnauthorized: false }`, which disables certificate validation and makes the SMTP connection vulnerable to Man-in-the-Middle attacks. While these actions are explained as necessary for the skill's functionality (sending daily stock updates via email and fixing specific network issues), they represent significant security vulnerabilities and poor security practices, elevating the classification to suspicious rather than benign. There is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized parties or unauthorized remote control.
Capability Assessment
Purpose & Capability
The skill description (fetch A-share IPOs and low-price stocks + email) is reasonable, but the registry metadata says no required env vars or install steps while the package includes nodemailer, .env usage, and code that expects SMTP credentials and the ability to write files and cron entries. The presence of a hard-coded target email ([email protected]) and helper scripts to save credentials into ~/.zshrc/.env is inconsistent with the 'no credentials required' claim.
Instruction Scope
SKILL.md plus other docs and scripts instruct the user to provide SMTP credentials (SMTP_CONFIG), run setup scripts that add cron jobs, and run a fix-hosts.sh that appends entries to /etc/hosts (requires sudo). The runtime code reads process.env.SMTP_CONFIG, writes .env and data-*.json, executes sendmail/osascript. These behaviours go beyond simple data fetching and include system config changes and credential handling.
Install Mechanism
The registry lists 'no install spec' (instruction-only), but the package contains package.json/package-lock.json with a nodemailer dependency — meaning npm install is required to enable SMTP sending. That mismatch (no declared install but real code + dependencies) is an incoherence and increases risk because users may run code without performing an explicit vetted install step.
Credentials
Although the skill metadata declares no required env vars, the code relies on SMTP_CONFIG (and scripts create .env and optionally export SMTP_CONFIG into shell RC). test-smtp.js contains a hard-coded username and plaintext password ('[email protected]' / '[email protected]'). Requesting or storing SMTP credentials and suggesting adding them to shell RC/.env is disproportionate without explicit declaration in metadata and raises credential exposure risk.
Persistence & Privilege
The skill's helper scripts add cron jobs, can append SMTP_CONFIG to ~/.zshrc or other shell rc files, and provide a script to append entries to /etc/hosts using sudo. While these actions can be legitimate for scheduling and DNS fixes, they grant long-lived system changes and require elevated privileges (hosts modification). The skill itself is not marked always:true, but it instructs the user to persist credentials and jobs on the host — a notable persistence surface.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install astock-daily
  3. After installation, invoke the skill by name or use /astock-daily
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
A 股每日精选技能 1.0.0 首次发布: - 每日自动整理 A 股新股发行信息及 20 元以下精选股票。 - 支持通过邮箱自动发送精选列表。 - 可通过关键词激活,支持定时和手动运行。 - 整合东方财富网与新浪财经数据。
Metadata
Slug astock-daily
Version 1.0.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Astock Daily?

Daily emails listing recent A-share IPOs and selected stocks priced under 20 yuan, including key trading details. It is an AI Agent Skill for Claude Code / OpenClaw, with 626 downloads so far.

How do I install Astock Daily?

Run "/install astock-daily" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Astock Daily free?

Yes, Astock Daily is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Astock Daily support?

Astock Daily is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Astock Daily?

It is built and maintained by batype (@batype); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments