Stock Heat Rank

Name: Stock Heat Rank
Author: n1e

Description

[Go语言版] 获取A股市场实时热度排名TOP50。聚合问财、雪球、东方财富三大平台人气榜单，计算复合热度分数。当用户需要查询A股热门股票、实时人气排名、市场关注度排行、涨停板热度分析时使用此技能。支持多平台热度对比，发现市场热点股票。

Usage Guidance

This skill appears to implement the stated feature (aggregating popularity lists and computing a composite heat score), but there are a few things to consider before installing: - Node.js/npm are required at runtime: the Go program execs 'node lib/hexin_v.js' and SKILL.md instructs running 'npm install' in lib. The registry metadata incorrectly claims no required binaries — make sure you have Node 18+ and npm available before running. - The bundled lib/hexin_v.js is large, minified/obfuscated, and is executed locally. The file is intended to generate a Hexin‑V request header for Wencai; if you are uncomfortable executing minified third‑party JS, review the file line-by-line or run the tool in an isolated environment (container or VM). You can also run network capture (tcpdump/Wireshark) during a test run to verify it only contacts the expected sites. - npm dependency 'canvas' may require native libraries (libcairo, etc.). Expect extra system-level dependencies when running 'npm install'. - The skill performs network requests to public platforms (iwencai, xueqiu, eastmoney). It does not request credentials, but scraping may be brittle and could trigger anti-bot protections. Avoid running as root; test in a sandbox and inspect network traffic if you need to be cautious about hidden endpoints. - If you want higher assurance: 1) Inspect lib/hexin_v.js (or replace it with a reviewed implementation), 2) run the Go binary with the Node call stubbed or instrumented to print the generated header without sending requests, 3) run in an isolated environment and verify behavior before using on a production machine. Given the metadata/instruction mismatch and the execution of bundled minified JS, treat this skill as suspicious until you confirm the JS signer does only local computation and there are no unexpected network calls.

Capability Analysis

Type: OpenClaw Skill Name: stock-heat-rank Version: 1.0.3 The skill bundle contains a heavily obfuscated JavaScript file (`lib/hexin_v.js`) which is required for generating API signatures. While the documentation claims this is extracted from official frontend code to bypass anti-scraping measures, the high level of obfuscation makes it impossible to verify if it contains hidden malicious logic. Furthermore, `main.go` uses `os/exec` to run this script via Node.js, which is a risky pattern. Although the behavior aligns with the stated purpose of scraping stock data, the presence of a large 'black box' execution payload is a significant security risk.

Capability Assessment

ℹ Purpose & Capability

The name/description (aggregate Wencai, Xueqiu, Eastmoney and compute TOP50) matches what the code does: the Go program fetches data from those sites and computes a composite score. However the skill metadata claims 'required binaries: none' and 'required env vars: none', while runtime actually depends on Node.js/npm (the Go code execs node to run lib/hexin_v.js and SKILL.md instructs running 'npm install' in lib). This is an incoherence between declared requirements and actual needs.

ℹ Instruction Scope

SKILL.md instructs installing JS deps and running the Go program; instructions do not ask to read unrelated local files or exfiltrate secrets. The runtime calls out to the three platforms (Wencai, Xueqiu, Eastmoney) — expected. The Go code runs a local Node script (lib/hexin_v.js) via exec.Command('node', ...), and makes HTTP requests to the target sites. The instructions claim hexin_v.js does no network I/O and only performs local signature generation; the included JS appears to set up a JSDOM environment and generate a header, but it is large/minified and partly obfuscated, which makes quick manual review difficult. The instructions are otherwise scoped to the task.

⚠ Install Mechanism

There is no formal install spec in registry metadata (instruction-only), but SKILL.md requires running 'npm install' in lib (jsdom & canvas) and running node. The code bundle includes a large minified JS (lib/hexin_v.js) extracted from a frontend; executing third-party/minified JS is higher risk because behavior is harder to audit. The included package.json is from npm (jsdom and canvas) — these are known packages but 'canvas' often requires native libs and can complicate install. No external download URLs are used, and Go build script is local. The main concern is executing bundled, minified JS with node that wasn't declared in required binaries.

⚠ Credentials

The skill declares no required credentials or config paths and the code does not request API keys. That is appropriate for a web-scraping aggregator. However it does execute local binaries (node) and spawns a child process — the metadata omission of Node/npm is a proportionality mismatch that could mislead users about what the skill will execute. No other environment variables or secrets are accessed in the code.

✓ Persistence & Privilege

The skill is not always:true, does not request elevated/persistent privileges, and does not modify other skills or system-wide settings. Build.sh creates artifacts in a local dist/ directory — normal for building a CLI. There is no evidence it writes persistent agent configuration or attempts to enable itself globally.

Version History

v1.0.3

- Indicate that this is a Go language version in both the Chinese and English descriptions. - Add "Go版本/Go Version" label to the title and throughout the documentation, clarifying the implementation language. - No changes to algorithm or functionality; documentation update only.

v1.0.2

- Added full English translations for all major sections alongside existing Chinese content in the documentation. - Introduced an English description_en field in metadata. - Improved table headers and output examples with bilingual (Chinese/English) labels. - Enhanced readability for international users by presenting execution steps, algorithm explanations, troubleshooting, and platform notes in both Chinese and English. - No functional or logic changes; documentation update only.

v1.0.1

- 优化了执行和运行文档说明，增加了 Go 直接运行与构建详细步骤。 - 默认推荐使用 `go run main.go` 直接运行，无需编译，简化启动流程。 - 项目结构和依赖安装步骤表述更清晰。 - 新增 hexin_v.js 功能和安全说明，提升透明度。 - 原有平台说明、故障排查等内容更为简洁易读。

v1.0.0

A股实时热度排名 skill 初始发布，支持多平台热榜聚合。 - 聚合问财、雪球、东方财富三大榜单，统一复合热度排名TOP50 - 创新设计复合热度打分，反映A股市场股票实时关注度 - 支持多平台热度对比及市场热点股票发现 - 多平台跨系统可执行文件，CLI 支持多种输出格式 - 提供详尽安装、运行与故障排查说明

Metadata

Slug stock-heat-rank

Version 1.0.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 4

Frequently Asked Questions

What is Stock Heat Rank?

[Go语言版] 获取A股市场实时热度排名TOP50。聚合问财、雪球、东方财富三大平台人气榜单，计算复合热度分数。当用户需要查询A股热门股票、实时人气排名、市场关注度排行、涨停板热度分析时使用此技能。支持多平台热度对比，发现市场热点股票。 It is an AI Agent Skill for Claude Code / OpenClaw, with 182 downloads so far.

How do I install Stock Heat Rank?

Run "/install stock-heat-rank" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Stock Heat Rank free?

Yes, Stock Heat Rank is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Stock Heat Rank support?

Stock Heat Rank is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Stock Heat Rank?

It is built and maintained by n1e (@n1e); the current version is v1.0.3.

More Skills

What is Stock Heat Rank?

How do I install Stock Heat Rank?

Is Stock Heat Rank free?

Which platforms does Stock Heat Rank support?

Who created Stock Heat Rank?

💬 Comments