← Back to Skills Marketplace
horizoncove

Tianji Data

by horizoncove · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install yuheng-tianji-data
Description
| 优先级 | 数据源 | 方式 | 延迟 | 覆盖品种 |。触发词:搜索, search, skill, 优化, 数据, data。
Usage Guidance
This skill appears to implement market data scraping and alerting, which matches its description, but exercise caution before installing: - Inspect and control outbound messaging: market_watcher.push_to_feishu sends messages via an external messaging tool to a hardcoded Feishu user id (ou_...). Confirm who owns that account and whether you want alerts sent there. The skill does not declare any Feishu/token env vars — it relies on existing workspace tooling/credentials. - Command-injection risk: push_to_feishu embeds the alert text directly into a python -c string without escaping; a crafted alert could break that string and execute arbitrary code. Prefer modifying the code to call a local function/module directly, pass the message as a safely-escaped argument (or via stdin), or use subprocess with an argument list referencing a script file rather than an interpolated -c string. - Data exposure: collected snapshots and alerts are written under /workspace/data/tianji-system. If that workspace is shared or backed up, sensitive data could leak. Restrict access or change the storage path if necessary. - Dependencies on external tooling: the code dynamically imports message_tool and tools.message which are not part of the skill. Audit those modules (where they live in your environment) to see how they deliver messages and where credentials are stored. - Testing recommendation: run the skill in a restricted/sandboxed environment first (no credentials, no messaging tooling) to verify behavior, and consider removing or stubbing the push_to_feishu function until you verify the target and escape handling. If you need, I can produce a safe patch for push_to_feishu (escape the message, remove hardcoded target, or provide a safer API) or list the exact locations to change.
Capability Analysis
Type: OpenClaw Skill Name: yuheng-tianji-data Version: 1.0.0 The skill bundle is designed for financial market data collection and monitoring, fetching data from Tencent and Sina APIs. It contains a critical code injection vulnerability in 'market_watcher.py' within the 'push_to_feishu' function, which uses 'subprocess.run' to execute a Python snippet containing an unsanitized 'alert_msg' string. Additionally, it includes a hardcoded Feishu recipient ID ('user:ou_fd61d5ebc9af22913aa4c21c8e3cac14') for alerts. While these represent significant security risks and poor coding practices, they appear to be unintentional vulnerabilities rather than clear evidence of malicious intent.
Capability Assessment
Purpose & Capability
Name/description and code align: the Python modules fetch market data from public endpoints (qt.gtimg.cn, hq.sinajs.cn) and produce snapshots/alerts. The SKILL.md and code consistently target market data collection and alerting. Minor inconsistency: SKILL.md mentions helper actions like extract_content_from_websites and batch_web_search that are not provided as named functions in the shipped modules (the code uses its own _fetch/get_* functions).
Instruction Scope
Instructions and code instruct storing data under /workspace/data/tianji-system (expected for a data-scraper). However, market_watcher.py contains push_to_feishu which constructs a subprocess call that invokes tools.message with a hardcoded Feishu user id. That causes the skill to potentially send alerts (and therefore data) out of the agent environment to an external account without any explicit credential declaration in the skill metadata. The SKILL.md does not document this messaging behavior or the external target.
Install Mechanism
No install spec — instruction-only plus included Python files. No downloaded/extracted third-party artifacts or unusual install behavior were found.
Credentials
The skill declares no required env vars or credentials, yet the code attempts to call an external messaging tool (tools.message / message_tool) that presumably relies on platform or workspace credentials. The absence of declared credential requirements hides the fact that alerts may be sent using pre-existing messaging credentials. Also push_to_feishu uses a hardcoded target user id, which may leak data to an unknown external recipient.
Persistence & Privilege
The skill writes data and logs to /workspace/data/tianji-system and uses /tmp/tianji_prev_state.json for state — reasonable for a data collector. always:false (no forced persistence). It does not attempt to modify other skills or system-wide config. Creating files in the workspace is expected but means collected data will persist in the agent environment.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install yuheng-tianji-data
  3. After installation, invoke the skill by name or use /yuheng-tianji-data
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of tianji-data. - Provides prioritized, free multi-source financial and commodity data collection. - Includes code samples and interface usage for real-time A-shares, commodities, Hong Kong indices, and QDII ETFs. - Standardizes data format and storage; documents storage paths. - Details data collection, quality, and error handling protocols. - Lists supported collection keywords and supported sources.
Metadata
Slug yuheng-tianji-data
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Tianji Data?

| 优先级 | 数据源 | 方式 | 延迟 | 覆盖品种 |。触发词:搜索, search, skill, 优化, 数据, data。 It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.

How do I install Tianji Data?

Run "/install yuheng-tianji-data" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tianji Data free?

Yes, Tianji Data is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tianji Data support?

Tianji Data is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tianji Data?

It is built and maintained by horizoncove (@horizoncove); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments