← Back to Skills Marketplace
65
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install a-stock-evening
Description
Sends a daily 15:10 summary of A-share closing data including index changes, volume, hot sectors, and main capital flow via Feishu.
README (SKILL.md)
A股收盘报告
每个A股交易日 15:10 通过飞书发送当日收盘情况总结,包含主力资金状况。
触发条件
- 时间:每交易日 15:10(周一至周五)
- 时区:Asia/Shanghai
- 注意:节假日需额外判断
内容
- 上证指数、深证成指、创业板指、沪深300 涨跌幅
- 涨跌分布统计(上涨/下跌/平盘)
- 主力资金状况(重点)
- 主力资金净流入/净流出
- 主力资金净流入板块 Top 5
- 主力资金净流出板块 Top 5
- 热门板块
- 成交额
- 操作建议
实现
使用东方财富股票 API 获取实时数据:
- 指数:
https://push2.eastmoney.com/api/qt/ulist.np/get - 行业资金流向:
https://push2.eastmoney.com/api/qt/clist/get(fid=f62 主力资金) - 涨跌统计:
https://push2.eastmoney.com/api/qt/ulist.np/get(f104/f105/f106)
发送
通过 OpenClaw 飞书通道发送给用户。
使用方法
# 仅生成报告
node scripts/closing-summary.mjs
# 生成并发送到飞书
node scripts/closing-summary.mjs --send
Cron 定时任务
设置每天 15:10 执行(OpenClaw 会自动判断是否为交易日):
openclaw cron add "10 15 * * 1-5" --skill a-stock-evening -- --send
Usage Guidance
This skill appears to do what it says (fetch EastMoney data and send a closing report via Feishu), but there are two things to consider before installing:
- Command injection risk: the script builds a shell command with execSync and interpolates the whole report into it. Although it escapes quotes/newlines, other shell metacharacters from the fetched data could allow command execution. Prefer a safer send mechanism (use an API/client library or execFile with args) or robustly escape all shell metacharacters.
- Hardcoded recipient: the script contains a fixed Feishu user id. Confirm this id is intended; otherwise modify the script to accept a configured recipient (via a declared setting or env var) to avoid sending reports to the wrong person.
Other practical checks: ensure the openclaw CLI will be available in the runtime environment, and consider running the skill in a constrained environment (limited privileges) until you review and, if needed, patch the script to remove shell execution and make the recipient configurable.
Capability Analysis
Type: OpenClaw Skill
Name: a-stock-evening
Version: 1.0.0
The skill contains a shell injection vulnerability in `scripts/closing-summary.mjs` where data fetched from external APIs (Eastmoney) is passed to `execSync` with insufficient sanitization (only double quotes and newlines are escaped, leaving shell metacharacters like backticks or dollar signs vulnerable). Additionally, the script hardcodes a specific Feishu user ID (`ou_d70ce91dc6fdd7aa7ceacb1c312618a0`), which causes the report to be sent to a fixed recipient rather than the user executing the skill, deviating from the behavior described in `SKILL.md`.
Capability Assessment
Purpose & Capability
Name/description align with implementation: the script fetches A‑share data from EastMoney endpoints, builds a report, and sends via the OpenClaw Feishu channel. The network endpoints used (eastmoney push2 APIs) are consistent with the stated data sources. One unexpected element: the script hardcodes a Feishu user id (feishuUserId = 'ou_d70ce91dc6fdd7aa7ceacb1c312618a0'), which may not be appropriate for all users and is not explained in SKILL.md.
Instruction Scope
SKILL.md stays within scope (fetch data, format report, send via Feishu). However the runtime script uses child_process.execSync to run a shell command (openclaw message send) with a dynamically generated message interpolated into the command string. The code only escapes double quotes and newlines, leaving other shell metacharacters (e.g., $(...), ``, ;, & ) unescaped — if any API response field contains crafted content this could result in shell command execution. The script also assumes openclaw CLI presence and uses a hardcoded recipient id, which may leak messages to an unexpected third party.
Install Mechanism
Instruction-only skill with a single included script; there is no install spec, no external archive downloads, and no packages installed by the skill itself. This is a low-risk install footprint.
Credentials
The skill declares no required environment variables or credentials. It relies on the OpenClaw CLI to handle Feishu delivery (so OpenClaw credentials are used implicitly). That is proportionate, but users should be aware the script will run with whatever OpenClaw/agent identity is available and will send messages under that identity. The hardcoded Feishu user id is not declared and may be inappropriate.
Persistence & Privilege
The skill is not always:true and does not request system-wide changes. It does invoke the openclaw CLI to send messages (normal for this purpose). It does not modify other skills or system-wide configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install a-stock-evening - After installation, invoke the skill by name or use
/a-stock-evening - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
A股收盘报告 v1.0.0 – 首次发布
- 每个A股交易日 15:10 自动总结当日收盘情况并通过飞书发送
- 报告涵盖主要指数涨跌幅、涨跌分布、主力资金流向和热门板块
- 聚焦主力资金净流入/净流出及分行业Top 5板块
- 提供成交额信息与操作建议
- 支持命令行生成与发送报告,可结合定时任务自动推送
Metadata
Frequently Asked Questions
What is A Stock Evening?
Sends a daily 15:10 summary of A-share closing data including index changes, volume, hot sectors, and main capital flow via Feishu. It is an AI Agent Skill for Claude Code / OpenClaw, with 65 downloads so far.
How do I install A Stock Evening?
Run "/install a-stock-evening" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is A Stock Evening free?
Yes, A Stock Evening is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does A Stock Evening support?
A Stock Evening is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created A Stock Evening?
It is built and maintained by chrislzg (@chrislzg); the current version is v1.0.0.
More Skills