← Back to Skills Marketplace
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股
by
newhackerman
· GitHub ↗
· v1.4.0
· MIT-0
314
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install stock-analysis-best
Description
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股
Usage Guidance
This skill appears to do what it says: fetch public market data, compute indicators, and produce downloadable HTML reports. Before installing or running it: 1) Run it in an isolated container or environment (do not bind the container port to a public host) because it launches a simple Python HTTP server on port 8888 that will expose the reports directory to the network if reachable. 2) Treat user-supplied inputs (company name / stock code) as untrusted: filenames are constructed without sanitization, which could allow path traversal or overwriting files — prefer safe names or validate/escape inputs. 3) Ensure the runtime has only expected tools (curl, jq, bc, python3) and that outbound network access is acceptable (the scripts call multiple public finance sites over HTTP/HTTPS). 4) If you need stricter privacy, modify generate-pdf-report.sh to bind the HTTP server to localhost only (python3 -m http.server --bind 127.0.0.1) or avoid starting a server and instead use the platform's file-download API. If you want me to, I can point out exact lines to harden (e.g., sanitize COMPANY_NAME, restrict server bind) or produce a patched generate-pdf-report.sh that is safer.
Capability Analysis
Type: OpenClaw Skill
Name: stock-analysis-best
Version: 1.4.0
The skill bundle implements a high-risk feature by starting a background HTTP server on port 8888 using 'python3 -m http.server' in 'generate-pdf-report.sh' to serve generated reports. While this aligns with the stated purpose of providing downloadable reports, it opens an unauthenticated network port within the environment. Additionally, multiple scripts (e.g., 'analyze.sh', 'generate-pdf-report.sh', and 'fetch-research.sh') are highly vulnerable to shell command injection because they use unsanitized user inputs like stock codes and company names directly in shell commands and curl arguments. There is no evidence of intentional data exfiltration, but the combination of network exposure and critical injection vulnerabilities warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (systematic investment analysis for A/H/US stocks) match the included scripts and templates: data fetching (multiple public finance sources), calculations, report generation and comparison. Required binaries and env/paths declared in SKILL.md (curl, jq, bc, python3, bash) align with the scripts' needs.
Instruction Scope
Runtime instructions and scripts are within the stated scope (fetch data, compute indicators, generate HTML/PDF, and serve reports). Two operational behaviors to note: (1) generate-pdf-report.sh launches python3 -m http.server on port 8888 and advertises direct download links — this exposes the reports directory over HTTP (serves all files in that directory) and may be reachable depending on container/network configuration; (2) filenames use user-supplied COMPANY_NAME without sanitization (e.g., ${COMPANY_NAME}_${STOCK_CODE}.html), which can enable path traversal or unexpected file creation if malicious input is provided. These are functional for the claimed feature but increase risk if the skill runs in a broad network context or with untrusted inputs.
Install Mechanism
No install spec; the package includes scripts and templates only. There are no downloads from third-party URLs or package installs embedded in an installer. This is lower risk than remote installs, but the skill includes executable scripts that will run when invoked.
Credentials
The skill requests no environment variables or external credentials. The dependencies (curl, jq, bc, python3) are reasonable for its functionality. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It starts a local HTTP server and writes files under its own directory (/app/skills/stock-analysis/reports/), which is normal for report generation. There is no evidence it modifies other skills or global configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stock-analysis-best - After installation, invoke the skill by name or use
/stock-analysis-best - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
**新增:支持自动生成可下载的 HTML/PDF 报告**
- 增加分析后自动生成 HTML 报告以及下载链接功能
- 新增 analyze-with-pdf.sh、generate-pdf-report.sh 脚本,实现一键生成和下载报告
- 报告可通过本地 HTTP 端口直接访问,方便浏览器预览与保存为 PDF
- 新增 reports/ 目录,自动保存各公司分析报告文件
- 数据缓存与报告生成一体化,提升用户体验
v1.3.0
Version 1.3.0 — Adds industry peer selection and smart suggestions.
- 新增同业优选提示功能:自动对比同行业公司,辅助发现更优投资标的
- 增强同业对比模块,新增综合评分与优选提示规则
- 补充脚本 compare-stocks.sh,实现自动同业对比分析
- 输出报告、模板与快速点评中集成同业优选提示信息
- 分析流程支持分析时自动获取、处理与输出优选提示
Metadata
Frequently Asked Questions
What is 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股?
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股. It is an AI Agent Skill for Claude Code / OpenClaw, with 314 downloads so far.
How do I install 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股?
Run "/install stock-analysis-best" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 free?
Yes, 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 support?
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股?
It is built and maintained by newhackerman (@newhackerman); the current version is v1.4.0.
More Skills