← Back to Skills Marketplace
Yingmi Skill
by
Yingmi-SOC
· GitHub ↗
· v0.1.3
· MIT-0
101
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install yingmi-skill
Description
当用户需要查询基金、策略、公告、财经资讯,做资产配置、组合诊断、风险回测、现金流分析,或生成图表、PDF 时,优先使用本 Skill 获取真实数据与可执行能力。
Usage Guidance
Before installing or using this skill, note these points: (1) The skill will ask you to install a global npm package (yingmi-skill-cli) and may ask you to run sudo if permissions fail — avoid running sudo on unreviewed code. (2) The CLI initialization flow requests your phone number and an SMS verification code and will write an apiKey to ~/.yingmi-skill-cli/config.json — you are sharing PII and granting the CLI persistent credentials. (3) The registry metadata does not declare the apiKey/phone requirement or provide a homepage/repository link, so the operational details are not fully transparent. Recommended actions: verify the npm package and its source (find the package on npm/Gitee/GitHub, inspect the repository and package contents), avoid global sudo installs (consider a sandbox/container or a local install), review the CLI code for data exfiltration, and only provide phone/SMS codes if you trust the publisher and have validated the upstream repository and privacy policy. If you cannot validate the package source, do not proceed.
Capability Analysis
Type: OpenClaw Skill
Name: yingmi-skill
Version: 0.1.3
The skill requires the agent to install a global NPM package (`yingmi-skill-cli`) and explicitly suggests using `sudo` for installation in `references/CLI前置检查.md`. It also directs the agent to collect the user's phone number and SMS verification code to initialize an API key. Furthermore, the skill includes a 'remote-skill' feature that allows the execution of arbitrary scripts via the CLI. While these capabilities are aligned with the stated purpose of a financial assistant for the 'Qieman' platform, the combination of high-privilege installation, credential handling, and remote execution represents a significant security risk.
Capability Assessment
Purpose & Capability
The skill claims to provide finance data/analysis via a CLI (yingmi-skill-cli), which is coherent in general. However, the registry metadata declares no credentials/config required, while the SKILL.md requires a CLI-initialized apiKey (obtained via phone + SMS verification) and writes config to ~/.yingmi-skill-cli/config.json. That mismatch (undisclosed apiKey/PII requirement) is unexpected and should have been declared.
Instruction Scope
Runtime instructions direct the agent (and/or user) to install/upgrade a global npm package, run CLI commands that read/write local config, request the user's phone number and SMS verification code, and then proceed to use the CLI to call remote MCP tools. Collecting phone numbers/SMS codes and storing an apiKey are sensitive operations and are not surfaced in the skill metadata. The instructions also permit use of sudo for npm install, which elevates risk if the package is untrusted.
Install Mechanism
There is no registry install spec (skill is instruction-only), but the SKILL.md recommends npm install -g yingmi-skill-cli@latest from https://registry.npmmirror.com and suggests sudo if permissions fail. The check-upgrade script fetches a remote 'version' file from gitee raw URLs via curl. Using npm global installs and remote curl pulls is expected for a CLI-backed skill, but it increases risk because arbitrary code from the npm package or remote repo will run on the user's system; the documentation does not point to an official, reviewable homepage or repository in the registry metadata.
Credentials
The skill metadata declares no required credentials/env vars, yet the runtime flow produces and consumes an apiKey (written to ~/.yingmi-skill-cli/config.json) and requires the user to supply a phone number and SMS verification code. Requesting PII and an apiKey without declaring it is disproportionate and reduces transparency. Also, recommending global installation (and sudo) can require elevated privileges that are not justified in the registry entry.
Persistence & Privilege
always:false and the skill does not request forced platform presence. However, the skill instructs installing a global CLI and initializing a persistent local config (including an apiKey) in the user's home directory. That creates persistence and modifies the system environment outside the agent; this is expected for a CLI-based integration but is a material privilege and should be considered before installation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yingmi-skill - After installation, invoke the skill by name or use
/yingmi-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.3
Republish current skill under Yingmi-SOC
v1.0.0
yingmi-skill 1.0.0
- 首次发布,提供全面接入且慢 MCP 金融数据与分析能力。
- 支持基金、策略、公告、财经资讯等多项数据查询和分析工具。
- 提供资产配置、组合诊断、风险回测、现金流分析、行情分析等核心功能。
- 详细列出所有工具及使用方法,强制前置检查确保环境与依赖正确初始化。
- 支持生成图表和 PDF,返回访问 URL。
Metadata
Frequently Asked Questions
What is Yingmi Skill?
当用户需要查询基金、策略、公告、财经资讯,做资产配置、组合诊断、风险回测、现金流分析,或生成图表、PDF 时,优先使用本 Skill 获取真实数据与可执行能力。 It is an AI Agent Skill for Claude Code / OpenClaw, with 101 downloads so far.
How do I install Yingmi Skill?
Run "/install yingmi-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yingmi Skill free?
Yes, Yingmi Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Yingmi Skill support?
Yingmi Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yingmi Skill?
It is built and maintained by Yingmi-SOC (@yingmi-soc); the current version is v0.1.3.
More Skills