← 返回 Skills 市场

Ashare Fast Watcher

Name: Ashare Fast Watcher
Author: kenswj

作者 kenswj · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

335

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ashare-fast-watcher

功能描述

A-Share millisecond-level market data watcher using Tencent direct API.

使用说明 (SKILL.md)

Ashare Fast Watcher

A high-performance skill to monitor A-Share market movements.

Actions

get_market_snapshot

Fetches real-time price, change, volume, and Level-1 quotes.

Parameters

codes: (Required) String. Stock codes with prefix, e.g., "sh600519,sz000001".

check_volatility

Detects sudden volume spikes or price movements.

Parameters

code: (Required) String. Single stock code.

安全使用建议

What to check before installing/running: 1) Confirm the author/source — repository metadata and homepage are missing. 2) Ask the publisher to explain how SKILL.md actions (get_market_snapshot, check_volatility) map to the included scripts; the mismatch could be sloppy packaging. 3) Run code in an isolated environment (container/VM) because daemon.py runs an infinite loop and calls os.system to execute osascript (macOS). 4) If you will use the notification feature, review/adjust notify_mac to avoid shell invocation or better escape single quotes (current code only replaces double quotes). 5) Install and audit required Python packages (requests, akshare, pandas); requirements.txt is empty so dependencies are undeclared. 6) If you need cross‑platform behavior, note the macOS-only notifier and either disable it or add an OS check. If you cannot verify the author or fix the above inconsistencies, treat the skill as untrusted and avoid running it on production systems or systems with sensitive data.

功能分析

Type: OpenClaw Skill Name: ashare-fast-watcher Version: 1.0.1 The skill bundle contains a command injection vulnerability in daemon.py within the notify_mac function. It uses os.system to execute osascript for macOS notifications using market data fetched from the Tencent API (qt.gtimg.cn) without sanitizing single quotes, which could allow arbitrary code execution if the API response is compromised. While the overall logic in index.py and radar.py aligns with the stated purpose of A-Share market monitoring and uses legitimate libraries like akshare, the insecure implementation of system-level notifications is a high-risk flaw.

能力评估

ℹ Purpose & Capability

The code queries the Tencent qt.gtimg.cn API and performs bond/ETF scanning (consistent with a market watcher). However the SKILL.md declares actions named get_market_snapshot and check_volatility that do not map directly to the functions in index.py/daemon.py/radar.py (those files implement analyze_bond_linkage, analyze_etf_premium, a long‑running daemon, and akshare scans). Also the daemon implements a macOS-only notifier (osascript) but the skill metadata does not declare an OS restriction.

⚠ Instruction Scope

SKILL.md provides only two high-level actions but the repository contains runnable scripts (a perpetual daemon, index analyzer, and akshare scanners). daemon.py uses os.system to call osascript for notifications (executes shell commands), building the command from remote data with only limited escaping — this creates a potential command/argument injection vector if untrusted strings are used. The code also performs network calls to external APIs (expected) but SKILL.md does not document how the agent will invoke these scripts or map the declared actions to the code entrypoints.

ℹ Install Mechanism

There is no install spec (instruction-only), but the code imports third‑party packages (requests, akshare, pandas). requirements.txt is empty, so required dependencies are not declared — this is inconsistent and will cause runtime failures unless the environment already has these packages. No remote downloads or installers are present (low install risk), but missing dependency declarations are a usability/integrity issue.

✓ Credentials

The skill requests no environment variables, credentials, or config paths — appropriate for a read‑only market watcher that calls public APIs. No unrelated secrets are requested.

ℹ Persistence & Privilege

The skill is not forced-always and allows model invocation (defaults). It does include a long-running daemon script (daemon.py) that loops indefinitely when executed; that is normal for a watcher but the SKILL.md does not explain the runtime model (whether the agent should run the daemon). The macOS notifier and infinite loop are behaviors to be aware of before running.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ashare-fast-watcher
安装完成后，直接呼叫该 Skill 的名称或使用 /ashare-fast-watcher 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Introduced new components: daemon.py and radar.py for expanded functionality. - Updated index.py to support changes and integrations with new modules. - Lays groundwork for background processing and advanced monitoring features.

v1.0.0

Initial release of ashare-fast-watcher. - Provides millisecond-level monitoring of A-Share market data via Tencent direct API. - Supports fetching real-time price, change, volume, and Level-1 quotes for specified stock codes. - Includes volatility detection for sudden volume spikes or price movements.

元数据

Slug ashare-fast-watcher

版本 1.0.1

许可证 MIT-0

累计安装 3

当前安装数 2

历史版本数 2

常见问题