← 返回 Skills 市场

alphaear-predictor

Name: alphaear-predictor
Author: zhouzhonglu8-png

作者 zhouzhonglu8-png · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

101

总下载

当前安装

版本数

在 OpenClaw 中安装

/install alphaear-predictor

功能描述

Market prediction skill using Kronos. Use when user needs finance market time-series forecasting or news-aware finance market adjustments.

使用说明 (SKILL.md)

AlphaEar Predictor Skill

Overview

This skill utilizes the Kronos model (via KronosPredictorUtility) to perform time-series forecasting and adjust predictions based on news sentiment.

Capabilities

1. Forecast Market Trends

Workflow:

Generate Base Forecast: Use scripts/kronos_predictor.py (via KronosPredictorUtility) to generate the technical/quantitative forecast.
Adjust Forecast (Agentic): Use the Forecast Adjustment Prompt in references/PROMPTS.md to subjectively adjust the numbers based on latest news/logic.

Key Tools:

KronosPredictorUtility.get_base_forecast(df, lookback, pred_len, news_text): Returns List[KLinePoint].

Example Usage (Python):

from scripts.utils.kronos_predictor import KronosPredictorUtility
from scripts.utils.database_manager import DatabaseManager

db = DatabaseManager()
predictor = KronosPredictorUtility()

# Forecast
forecast = predictor.predict("600519", horizon="7d")
print(forecast)

Configuration

This skill requires the Kronos model and an embedding model.

Kronos Model:
- Ensure exports/models directory exists in the project root.
- Place trained news projector weights (e.g., kronos_news_v1.pt) in exports/models/.
- Or depend on the base model (automatically downloaded).

[!CAUTION] Model Security: This skill loads model weights from exports/models. We use weights_only=True and only scan for the kronos_news_*.pt pattern. Ensure you only place trusted checkpoints in this directory.

Environment Variables:
- EMBEDDING_MODEL: Path or name of the embedding model (default: sentence-transformers/all-MiniLM-L6-v2).
- KRONOS_MODEL_PATH: Optional path to override model loading.

Dependencies

torch
transformers
sentence-transformers
pandas
numpy
scikit-learn

安全使用建议

What to consider before installing/using this skill: 1. Declare and verify required environment/config: The registry lists no env vars but the code uses EMBEDDING_MODEL and optional KRONOS_MODEL_PATH and also reads a .env file. Ask the publisher to explicitly list required env vars and config paths, and do not place unrelated secrets in the .env used by this skill. 2. Check and pin dependencies and installation: The skill needs torch, transformers, sentence-transformers, etc. There is no install script or pinned versions. Install in a sandboxed environment (container/VM) and pin dependency versions before running. 3. Audit model checkpoints before loading: The skill will load local 'kronos_news_*.pt' files and may fall back to an unsafe torch.load. Only use trusted checkpoints. Prefer removing the legacy torch.load fallback or force weights_only loads and verify files (checksums/signatures) before use. 4. Expect network activity: If local models are missing, the code will download tokenizers/models from Hugging Face. If you require offline operation, pre-populate the expected artifacts and set local-only flags. Be prepared for large downloads and verify host trust. 5. Prompt/tool behavior: The bundled prompts instruct agents to call web_search, fetch_news_content and to retrieve live prices. Confirm what tool integrations are available and whether they require API keys (and where those keys are stored). Do not give the skill access to broad network or production credentials until audited. 6. Path mismatch & repository layout: SKILL.md says exports/models in project root but code looks under scripts/predictor/exports/models — confirm actual expected path to avoid accidentally placing files in the wrong location. 7. Run tests in isolation: Use the included tests (tests/test_predictor.py) in an isolated environment first. Consider a code review of the checkpoint-loading logic and remove unsafe fallbacks. 8. Ask for provenance: The skill has no homepage and unknown source. Prefer skills with a reputable source or request the author/publisher to provide a source repo, dependency lock, and signed model artifacts. If you cannot verify the model checkpoints or you cannot run the skill in an isolated sandbox, treat it as higher risk and avoid running it with any credentials or on sensitive data.

功能分析

Type: OpenClaw Skill Name: alphaear-predictor Version: 1.0.0 The skill is a complex financial forecasting tool that utilizes the Kronos time-series model, but it contains critical security vulnerabilities. Specifically, `scripts/kronos_predictor.py` includes a fallback to unsafe `torch.load()` (Pickle deserialization) without `weights_only=True`, which allows for Arbitrary Code Execution (RCE) if a malicious model checkpoint is placed in the exports directory. Additionally, `scripts/utils/predictor/kline_generate.py` contains a SQL injection vulnerability where the `ticker` variable is directly interpolated into a query string. While these are high-risk flaws, they appear to be unintentional vulnerabilities rather than deliberate malware.

能力评估

⚠ Purpose & Capability

Name/description (Kronos-based market forecasting) align with the code: many predictor modules, prompt-driving agents, and forecast helpers exist. However the registry metadata declares no required env vars/configs while SKILL.md and the code do require/expect EMBEDDING_MODEL, optional KRONOS_MODEL_PATH and an `exports/models` checkpoint directory. The README expects exports/models at project root while code looks under scripts/predictor/exports/models — a path mismatch. Also the skill declares no install spec but depends on heavy ML libraries (torch, transformers, sentence-transformers), which is disproportionate to being an 'instruction-only' skill in the registry metadata.

⚠ Instruction Scope

SKILL.md and prompts instruct the agent to load local model weights, read a .env, and call external 'web_search' / 'fetch_news_content' / 'get_stock_price' tools (prompts mandate calling them). The code uses load_dotenv() and will attempt to download models/tokenizers from Hugging Face if not present locally. Prompts also require strict JSON outputs and instruct agents to fetch live prices/news; this grants the agent broad network and tool usage. The instruction text also tells the operator to place .pt checkpoint files in a directory and trusts weights_only=True but the code contains a fallback to legacy torch.load if safe loading fails — allowing potential code execution via malicious checkpoints.

⚠ Install Mechanism

There is no install spec in the registry entry even though the code requires heavy ML packages and model artifacts. The code will attempt network activity: SentenceTransformer and from_pretrained calls (Hugging Face) can download models, and the Kronos tokenizer/model are fetched by name if not cached. The skill will therefore pull sizeable artifacts at runtime (trusted hosts like Hugging Face), and the code also glob-loads local .pt checkpoint files. Lack of an explicit, auditable install step and dependency pinning increases supply-chain risk.

⚠ Credentials

Registry metadata lists no required environment variables, yet SKILL.md documents EMBEDDING_MODEL and KRONOS_MODEL_PATH and the code calls load_dotenv() (reading a .env). That inconsistency means the skill may read arbitrary environment variables or secrets from a .env without the user being warned or requiring specific credentials. The prompts direct use of external web search and data-fetching tools (which may themselves require API keys) but no such credentials are declared or constrained.

✓ Persistence & Privilege

The skill is not always-included and does not request special platform privileges. It does not appear to modify other skills or global agent configuration. Note: the skill can be invoked autonomously by the agent (platform default), which increases blast radius if other risks are exploited — combine this with the other flagged issues before enabling autonomous runs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install alphaear-predictor
安装完成后，直接呼叫该 Skill 的名称或使用 /alphaear-predictor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

AlphaEar Predictor 1.0.0 - Initial Release - Added market prediction capabilities using the Kronos model for time-series forecasting. - Introduced workflow for base quantitative forecast and news-driven subjective adjustment. - Provided configurable support for custom and default Kronos model weights. - Added requirement for an embedding model, with customizable environment variables. - Documented required Python dependencies for operation.

元数据

Slug alphaear-predictor

版本 1.0.0

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 1

常见问题