← Back to Skills Marketplace
258
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install today-earnings
Description
从 Yahoo Finance 获取财报日历数据。适用于查询指定日期或当天财报、输出公司列表、按财报发布时间区分 BMO/AMC/TNS。当前实现基于 Chrome Extension + Native Messaging,需要本地安装 Chrome 扩展、Native Host、Google Chrome 与...
Usage Guidance
What to consider before installing:
- This skill implements exactly what it claims: a Chrome extension + Native Messaging host + Node CLI to scrape Yahoo Finance. You must load the extension and run the provided install script (or run the generated Windows .bat) so Chrome can launch the native host.
- Local-IPC exposure: when the host is started by Chrome it creates a UNIX domain socket at /tmp/today-earnings.sock that accepts requests from any local process. That means any local user or process could connect to the socket and cause the extension to open the Yahoo Finance earnings page and return scraped data. If you run multi-user systems or run untrusted local processes, treat this as a risk. Consider inspecting/adjusting the socket path and file permissions or running on an isolated account/machine.
- Documentation vs. implementation mismatch: some docs say only AMC/BMO records will be kept, but the parser/transform code preserves AMC/BMO/TNS (and parser.js contains comments that differ from design.md). If you rely on strict filtering, review parser.js and scripts/get-company-list.mjs to confirm the actual behavior before using results programmatically.
- Review produced files before running install.sh: install.sh writes manifest files and wrapper scripts and may prompt you to use sudo for system locations. Ensure the manifest's "path" is correct and points to trusted code (native-host/host.js or the generated run-host wrapper). On Windows, the generated install-windows.bat modifies HKCU (user registry) — review it before execution.
- If you decide to install: run it on a single-user, trusted machine; verify /tmp/today-earnings.sock permissions after host start; consider removing the extension and native host artifacts when no longer needed (delete manifest files, wrapper scripts, and any generated Windows registry keys/manifest entries).
- If you want higher assurance: ask the author to (1) restrict the socket to a less-global path and set restrictive file permissions, (2) add an authentication token exchanged by CLI and host, or (3) make the host accept connections only from a launched CLI process rather than any local process. If those changes are present, I would raise confidence to benign.
Capability Analysis
Type: OpenClaw Skill
Name: today-earnings
Version: 4.3.4
The skill bundle is a legitimate tool designed to scrape earnings data from Yahoo Finance using a Chrome Extension and Native Messaging architecture. While the installation script (native-host/install.sh) performs high-privilege actions such as writing to browser configuration directories and modifying the Windows registry, these are standard requirements for establishing a Native Messaging Host. The code logic across the background scripts, content scripts, and the Node.js bridge (host.js) is transparent, well-documented in design.md, and lacks any indicators of data exfiltration, unauthorized remote execution, or malicious prompt injection.
Capability Assessment
Purpose & Capability
Name/description (fetch Yahoo Finance earnings) match the provided code: a Chrome extension opens the Yahoo earnings page, a content script parses the DOM, and a native host + CLI glue the local invocation. Required permissions (tabs, scripting, nativeMessaging, host permission for finance.yahoo.com) are proportional to the stated purpose. Minor mismatch: several design/docs statements say the first version will "only keep AMC/BMO", but parser.js and the runtime transform accept AMC/BMO/TNS (and parser.js's comment even says it preserves all earningType). This discrepancy between docs and code should be resolved.
Instruction Scope
SKILL.md and references instruct installing a Chrome extension and native host and running the CLI — all within scope. However, implementation details expand the runtime surface: the native host, once launched by Chrome, starts a persistent UNIX socket server at /tmp/today-earnings.sock that will accept connections from any local process. That socket allows any local actor to request the extension perform fetch requests (the extension is hardcoded to finance.yahoo.com calendar URLs only). This is expected for the CLI design but is a non-trivial local-IPC exposure that the documentation doesn't explicitly warn about or harden.
Install Mechanism
There is no remote download of executable code; the repo contains an install.sh that writes native messaging manifests and wrapper scripts and guides Windows registry registration. Installation writes files into user Chrome native messaging locations or generates Windows artifacts — standard for native messaging hosts. No external network fetches or URL shorteners are used by the install scripts.
Credentials
The skill requests no environment variables or external credentials — appropriate. It does require Node.js and a local Chrome instance and to register a native messaging host manifest. The notable proportionality issue is the persistent /tmp socket: the host creates a local IPC endpoint without explicit client authentication, which increases local attack surface (other local users/processes could connect).
Persistence & Privilege
always:false (good). But the background service worker sets a frequent alarm to keep itself alive and the native host, when launched by Chrome, runs a long-lived socket server. The combination (persistent host + open UNIX socket) grants the skill sustained local presence and locally-exploitable IPC; the skill also instructs installing manifests into user Chrome config and modifying HKCU on Windows. None of that is inherently malicious, but it raises persistence/privilege considerations that the user should be aware of.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install today-earnings - After installation, invoke the skill by name or use
/today-earnings - Provide required inputs per the skill's parameter spec and get structured output
Version History
v4.3.4
移除按市值过滤能力;修复 install.sh 权限提示与写入失败报错;补充 Chrome 启动说明与单位说明;移除 earningType 过滤;延后改为按可通讯性探测 tab;完善跨平台安装支持。
v4.3.3
修复 install.sh 权限提示与写入失败报错;补充 Chrome 未启动时的命令行打开说明与 M/B/T 单位说明;移除对 earningType 的过滤逻辑。
v4.3.2
新增 Native Host 跨平台安装支持(macOS/Linux/Windows/WSL),并修复 tab 等待逻辑:改为 3 秒后探测通讯可达性,失败按 1 秒间隔最多重试 10 次。
v4.3.1
按 skill creator 规范梳理文档结构,精简 SKILL.md,新增 references/usage_guide.md,收敛技术参考并删除重复 README。
Metadata
Frequently Asked Questions
What is Today Earnings?
从 Yahoo Finance 获取财报日历数据。适用于查询指定日期或当天财报、输出公司列表、按财报发布时间区分 BMO/AMC/TNS。当前实现基于 Chrome Extension + Native Messaging,需要本地安装 Chrome 扩展、Native Host、Google Chrome 与... It is an AI Agent Skill for Claude Code / OpenClaw, with 258 downloads so far.
How do I install Today Earnings?
Run "/install today-earnings" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Today Earnings free?
Yes, Today Earnings is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Today Earnings support?
Today Earnings is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Today Earnings?
It is built and maintained by holenlin (@lhl09120); the current version is v4.3.4.
More Skills