← Back to Skills Marketplace
Stock Data Monorepo
by
shinelp100
· GitHub ↗
· v1.2.5
· MIT-0
63
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install stock-data-monorepo
Description
A 股数据查询技能集合,包含 4 个子技能:cn-stock-volume(成交量)、stock-top-gainers(涨幅排名)、ths-stock-themes(题材概念)、stock-theme-events(题材事件)。 **触发场景**: - 作为 stock-daily-report 的数据源依赖...
Usage Guidance
What to check before installing or running this skill:
- Review and run the scripts in a sandboxed environment (not on a production host). The code uses subprocess to call 'openclaw', 'npx', and 'node' — confirm those binaries exist and are trustworthy in your environment.
- Inspect any subprocess invocations that interpolate strings (the code uses python -c and builds command strings in places). If you will pass untrusted input to the scripts, this can be a command-injection risk.
- Note the scripts read/write files under your home directory (workspace, ~/.jvs/.openclaw, ~/Desktop, manual/). If you are uncomfortable with that, run from a separate user or container and change output paths.
- The code attempts to read another skill's cache at a hardcoded path; verify you are okay with cross-skill file reads and that no sensitive data exists at that path.
- Dependencies: SKILL.md lists pip packages (akshare, sentence-transformers, scikit-learn). Ensure you install them in an isolated virtualenv to avoid dependency conflicts.
- If you plan to allow autonomous agent invocation, be cautious: the scripts try to call platform tooling to access a 'browser' tool. If the platform CLI were compromised, this skill could trigger broader actions — consider keeping autonomous invocation disabled until you vet the toolchain.
If you want, I can highlight exact lines of concern (subprocess calls, hardcoded cache paths, file-write locations) so you or a developer can inspect them before running.
Capability Analysis
Type: OpenClaw Skill
Name: stock-data-monorepo
Version: 1.2.5
The skill bundle contains several security vulnerabilities and poor development practices that pose a risk to the host environment. Specifically, 'cn-stock-volume/scripts/fetch_data.py' exhibits a potential code injection vulnerability where a URL is unsafely interpolated into a Python command string executed via 'subprocess.run'. Additionally, multiple scripts, including 'generate_report.py' and 'run_full_analysis.py', use hardcoded absolute paths tied to a specific user environment ('/Users/shinelp100/...') and write files directly to the user's Desktop ('~/Desktop/A 股每日复盘'). While these behaviors appear to be unintentional flaws or developer oversights rather than intentional malware, the combination of intrusive file system access and unsafe command execution warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description match the included code: the repo contains four stock-related sub-skills (index numbers, top gainers, themes, theme-events). Declared Python/browser requirements and pip packages (akshare, sentence-transformers, scikit-learn) align with scraping and NLP/clustering tasks in the files (e.g., cluster_themes.py, fetch_themes.py). Minor inconsistency: top-level registries reported 'no install spec', but SKILL.md contains an 'install' metadata block listing pip packages — the user should ensure dependencies will actually be installed or installed manually.
Instruction Scope
Runtime instructions and scripts instruct the agent/user to run Python scripts and to use a 'browser' tool. Several scripts (browser_fetch.py, fetch_data.py) run subprocesses that invoke the OpenClaw CLI (openclaw browser / web-fetch) and even try alternative execution paths (npx, node). fetch_data.py also attempts to read a hardcoded cache file path belonging to another skill (.jvs/.openclaw/workspace/skills/fetch-index-data/cache/2026-03-20.json). The scripts write outputs to user Desktop and workspace. These instructions extend beyond simple HTTP requests (they attempt to call platform tooling and access other skills' files), so review is advised.
Install Mechanism
Registry metadata says 'no install spec' but SKILL.md includes an 'install' array listing pip packages (akshare, sentence-transformers, scikit-learn). The package list is reasonable for the claimed functionality. No remote download/install from arbitrary URLs was observed. Because the repository is code-heavy (many Python scripts), the practical install step is likely 'pip install' + running scripts — confirm how your agent/host will install those pip deps.
Credentials
The skill declares no required environment variables or credentials, which matches the description. However, scripts access filesystem locations (Path.home(), ~/.jvs/.openclaw/workspace, user Desktop, and a 'manual' directory) and attempt to read another skill's cache file. Reading other skill directories is unexpected for a single-purpose data fetcher and could expose or reuse unrelated data. The skill also spawns subprocesses that rely on a platform CLI (openclaw/npx/node) and manipulates PATH when invoking them — this increases the runtime environment surface and should be checked.
Persistence & Privilege
The skill does not request 'always: true', does not declare privileged persistent presence, nor does it modify other skills' configurations. It writes output files to standard user paths (workspace, Desktop) and creates 'manual/' files — expected for a reporting tool. There is some cross-skill access (reading a specific cache file) but no evidence the skill auto-enables itself or claims elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stock-data-monorepo - After installation, invoke the skill by name or use
/stock-data-monorepo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.5
更新 stock-top-gainers 和 ths-stock-themes 元数据,新增 browser 脚本
v1.2.4
v1.2.2: 修复非交易日数据处理,新增 stock-top-gainers 完整脚本,完善 stock-theme-events 分析功能
v1.2.3
v1.2.2: 修复非交易日数据处理,新增 stock-top-gainers 完整脚本,完善 stock-theme-events 分析功能
Metadata
Frequently Asked Questions
What is Stock Data Monorepo?
A 股数据查询技能集合,包含 4 个子技能:cn-stock-volume(成交量)、stock-top-gainers(涨幅排名)、ths-stock-themes(题材概念)、stock-theme-events(题材事件)。 **触发场景**: - 作为 stock-daily-report 的数据源依赖... It is an AI Agent Skill for Claude Code / OpenClaw, with 63 downloads so far.
How do I install Stock Data Monorepo?
Run "/install stock-data-monorepo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Stock Data Monorepo free?
Yes, Stock Data Monorepo is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Stock Data Monorepo support?
Stock Data Monorepo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Stock Data Monorepo?
It is built and maintained by shinelp100 (@shinelp100); the current version is v1.2.5.
More Skills