← 返回 Skills 市场
626
总下载
1
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install astock-daily
功能描述
Daily emails listing recent A-share IPOs and selected stocks priced under 20 yuan, including key trading details.
使用说明 (SKILL.md)
A 股每日精选技能
描述
每日获取 A 股新股发行信息和 20 元以下的精选股票,通过邮件发送给用户。
激活方式
当用户提到 A 股、新股、股票筛选、低价股时激活此技能。
配置
在 TOOLS.md 中添加以下配置:
### A 股股票技能
- 邮箱:[email protected]
- 价格上限:20 元
- 发送时间:每天 09:00
使用方法
手动运行
node skills/astock-daily/index.js
定时运行
通过 cron 或 OpenClaw 的 heartbeat 功能每天运行。
数据源
- 东方财富网 API(新股发行)
- 新浪财经 API(股票行情)
输出
邮件包含:
- 近期新股发行列表(代码、名称、申购日期、发行价)
- 20 元以下精选股票(代码、名称、现价、涨跌幅、成交量)
安全使用建议
This package performs more privileged and sensitive actions than the registry metadata claims. Before installing or running it: 1) Inspect and remove any hard-coded credentials (test-smtp.js) and never run with those credentials; create a dedicated SMTP account/authorization for this skill. 2) Do not blindly run fix-hosts.sh or any script that uses sudo — examine the exact hosts entries and only apply them if you trust the source and understand the change. 3) Prefer exporting SMTP_CONFIG at runtime rather than adding it to ~/.zshrc/rc files; keep secrets out of checked-in files. 4) Run npm install only after reviewing package.json and package-lock.json; verify dependencies come from a trusted registry. 5) If you want to test, run the code in an isolated environment (container or VM) and avoid adding cron jobs until you confirm behaviour. The inconsistencies (metadata vs code) and embedded plaintext password are red flags — treat this as potentially unsafe until you remediate those issues.
功能分析
Type: OpenClaw Skill
Name: astock-daily
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities, despite their stated purpose. It prompts for and stores SMTP credentials (email and password/auth code) in plain text in `.env` files and potentially shell configuration files (`.zshrc`, `.bashrc`). The `fix-hosts.sh` script performs privileged operations by modifying `/etc/hosts` using `sudo`. The `index.js` and `send-mail-applescript.js` files use `child_process.exec` to run system commands (`sendmail`, `osascript`), which could be vulnerable to injection if the content were not carefully controlled. Additionally, the `nodemailer` configuration in `index.js` and `test-smtp.js` uses `tls: { rejectUnauthorized: false }`, which disables certificate validation and makes the SMTP connection vulnerable to Man-in-the-Middle attacks. While these actions are explained as necessary for the skill's functionality (sending daily stock updates via email and fixing specific network issues), they represent significant security vulnerabilities and poor security practices, elevating the classification to suspicious rather than benign. There is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized parties or unauthorized remote control.
能力评估
Purpose & Capability
The skill description (fetch A-share IPOs and low-price stocks + email) is reasonable, but the registry metadata says no required env vars or install steps while the package includes nodemailer, .env usage, and code that expects SMTP credentials and the ability to write files and cron entries. The presence of a hard-coded target email ([email protected]) and helper scripts to save credentials into ~/.zshrc/.env is inconsistent with the 'no credentials required' claim.
Instruction Scope
SKILL.md plus other docs and scripts instruct the user to provide SMTP credentials (SMTP_CONFIG), run setup scripts that add cron jobs, and run a fix-hosts.sh that appends entries to /etc/hosts (requires sudo). The runtime code reads process.env.SMTP_CONFIG, writes .env and data-*.json, executes sendmail/osascript. These behaviours go beyond simple data fetching and include system config changes and credential handling.
Install Mechanism
The registry lists 'no install spec' (instruction-only), but the package contains package.json/package-lock.json with a nodemailer dependency — meaning npm install is required to enable SMTP sending. That mismatch (no declared install but real code + dependencies) is an incoherence and increases risk because users may run code without performing an explicit vetted install step.
Credentials
Although the skill metadata declares no required env vars, the code relies on SMTP_CONFIG (and scripts create .env and optionally export SMTP_CONFIG into shell RC). test-smtp.js contains a hard-coded username and plaintext password ('[email protected]' / '[email protected]'). Requesting or storing SMTP credentials and suggesting adding them to shell RC/.env is disproportionate without explicit declaration in metadata and raises credential exposure risk.
Persistence & Privilege
The skill's helper scripts add cron jobs, can append SMTP_CONFIG to ~/.zshrc or other shell rc files, and provide a script to append entries to /etc/hosts using sudo. While these actions can be legitimate for scheduling and DNS fixes, they grant long-lived system changes and require elevated privileges (hosts modification). The skill itself is not marked always:true, but it instructs the user to persist credentials and jobs on the host — a notable persistence surface.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install astock-daily - 安装完成后,直接呼叫该 Skill 的名称或使用
/astock-daily触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
A 股每日精选技能 1.0.0 首次发布:
- 每日自动整理 A 股新股发行信息及 20 元以下精选股票。
- 支持通过邮箱自动发送精选列表。
- 可通过关键词激活,支持定时和手动运行。
- 整合东方财富网与新浪财经数据。
元数据
常见问题
Astock Daily 是什么?
Daily emails listing recent A-share IPOs and selected stocks priced under 20 yuan, including key trading details. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 626 次。
如何安装 Astock Daily?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install astock-daily」即可一键安装,无需额外配置。
Astock Daily 是免费的吗?
是的,Astock Daily 完全免费(开源免费),可自由下载、安装和使用。
Astock Daily 支持哪些平台?
Astock Daily 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Astock Daily?
由 batype(@batype)开发并维护,当前版本 v1.0.0。
推荐 Skills