← Back to Skills Marketplace
456
Downloads
0
Stars
0
Active Installs
7
Versions
Install in OpenClaw
/install stock-tools
Description
自选股管理与A股行情对话能力。Use when the user asks in natural language to add/remove/list/clear watchlist stocks, or asks about a stock / watchlist行情、涨跌幅、走势、表现、概览,例如“添加 0...
Usage Guidance
This skill is internally consistent with its description and uses only a public quote endpoint; it does not request secrets. However, the stock management CLI allows a --file override that can point at any path the process can access — which could be used to read or overwrite sensitive files if the agent is instructed to do so. Before installing, consider: (1) only enable this skill in a sandboxed agent environment where the agent process has limited filesystem access, (2) review and/or modify stock_tools.js to disallow absolute paths or restrict paths to a designated data directory, and (3) if you don't need the CLI's --file flexibility, remove or harden that option. Also note a minor runtime risk: fetch_quote.js attempts to decode GBK via TextDecoder('gbk'), which may fail in some Node environments (functional bug, not a security issue).
Capability Analysis
Type: OpenClaw Skill
Name: stock-tools
Version: 1.0.6
The skill provides legitimate stock watchlist management and quote fetching via Sina Finance. However, `scripts/stock_tools.js` contains a path traversal vulnerability because it accepts an arbitrary file path via the `--file` command-line argument without sanitization or directory restriction. While the instructions in `SKILL.md` only reference a safe default path (`stocks-data/stocklist.txt`), the underlying script's capability could be exploited by a malicious user to trick the agent into reading or overwriting sensitive system files.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and included scripts align: fetch_quote.js queries the public Sina quote API and stock_tools.js manages a local watchlist file. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md confines file storage to a workspace path (stocks-data/stocklist.txt) and instructs use of the included node scripts. The code implements exactly that. However, the stock_tools.js CLI accepts a --file argument permitting arbitrary file paths; the documentation does not warn about this override, which could be misused to access non-watchlist files.
Install Mechanism
No install spec or external downloads. The skill is instruction-only with two bundled JS scripts — nothing is fetched at install time and no external packages are automatically installed.
Credentials
No environment variables, credentials, or config paths are required. The network usage (https calls to hq.sinajs.cn) matches the stated purpose.
Persistence & Privilege
The skill writes to and reads from the filesystem (stocks-data/stocklist.txt) as intended. But because the CLI supports --file to point at arbitrary paths, an agent invoking this skill could read or overwrite arbitrary files that the skill process has access to. Although always:false, autonomous invocation plus this file-override capability raises risk of accidental or intentional data exposure.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stock-tools - After installation, invoke the skill by name or use
/stock-tools - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
Make off-hours/invalid quotes human-friendly; show prevClose when realtime price unavailable
v1.0.5
Default short output to avoid truncation; add --json mode; filter invalid quotes; ignore .DS_Store
v1.0.4
Add lightweight quote fetcher and update skill guidance
v1.0.3
Tweak prompts in SKILL.md
v1.0.2
Remove: 优先使用大模型回复行情相关的描述
v1.0.1
Security-friendly 1.0.1: local script handles watchlist persistence only; runtime stocklist data removed from release package; stock quotes remain model-first.
v1.0.0
Initial 1.0.0 release: persistent watchlist storage, model-first stock Q&A, and fresh quote fetch rules.
Metadata
Frequently Asked Questions
What is Stock Tools?
自选股管理与A股行情对话能力。Use when the user asks in natural language to add/remove/list/clear watchlist stocks, or asks about a stock / watchlist行情、涨跌幅、走势、表现、概览,例如“添加 0... It is an AI Agent Skill for Claude Code / OpenClaw, with 456 downloads so far.
How do I install Stock Tools?
Run "/install stock-tools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Stock Tools free?
Yes, Stock Tools is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Stock Tools support?
Stock Tools is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Stock Tools?
It is built and maintained by daguniang (@daguniang); the current version is v1.0.6.
More Skills