← 返回 Skills 市场
118
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install baostock-skill
功能描述
Query Chinese A-share market data using BaoStock. Use when user asks for stock quotes, historical K-line, fundamentals, or market analysis. Supports real-tim...
使用说明 (SKILL.md)
BaoStock Finance Skill
This skill wraps BaoStock (http://baostock.com) to provide easy access to Chinese A-share market data. BaoStock is a stable domestic data source with no compilation requirements.
What It Does
- Real-time quotes: Latest price, volume, change for A-shares
- Historical data: Daily, weekly, monthly, minute bars
- K-line data: OHLC with adjust factors (qfq, hfq)
- Financial data: Basic indicators, PE/PB, market cap
- Index data: SSE, SZSE, CSI indices
- Stock basics: List of A-shares, industry classification
When to Use
User asks like:
- "查询贵州茅台最新股价"
- "获取宁德时代最近30天的日线数据"
- "列出所有银行股"
- "分析中国平安的市盈率"
- "获取上证指数历史数据"
How to Invoke
# Single stock quote
baostock --symbol sh600519 --type quote
# Historical K-line (daily)
baostock --symbol sh600519 --type history --start-date 2024-01-01 --end-date 2024-12-31
# Minute data (5-minute intervals)
baostock --symbol sh600519 --type history --frequency 5 --start-date 2024-03-01
# Stock list (all A-shares)
baostock --type stock-list
# Index data
baostock --symbol sh000001 --type index-history --start-date 2024-01-01
Dependencies
- Python 3.8+
baostockpackage (pip install baostock)pandas(should be installed)
pip3 install baostock
Data Source
BaoStock fetches data from BaoXin (宝新) data provider. It is:
- ✅ Domestic source, no external network issues
- ✅ Free for non-commercial use
- ✅ Supports minute-level data
- ⚠️ Some delay for real-time data (~15 min for minute bars)
Output Format
Default: JSON
{
"symbol": "sh600519",
"name": "贵州茅台",
"price": 1680.50,
"change": 1.23,
"pct_change": 0.07,
"volume": 1234567,
"amount": 2000000000,
"timestamp": "2025-03-18 15:00:00"
}
For historical data:
[
{
"date": "2025-03-18",
"open": 1670.00,
"high": 1690.00,
"low": 1668.50,
"close": 1680.50,
"volume": 1234567,
"amount": 2000000000
}
]
Integration with OpenClaw
This skill can be assigned to finance.yaml role:
plugins:
allow:
- baostock-skill
- feishu-doc
- feishu-bitable
Limitations
- Real-time quotes are actually 15-min delayed (free tier)
- Some stocks may have missing data (new listings)
- No direct access to order book (Level 2)
- API rate limits: ~100 requests/minute
Troubleshooting
| Issue | Check |
|---|---|
| Import error | pip3 install baostock |
| No data returned | Check symbol format (sh/sz prefix) and trading day |
| Network error | BaoStock uses domestic servers; should be fine |
Examples
# Get all stock names and codes
baostock --type stock-list --output stocks.csv
# Get daily history for last 30 days
baostock --symbol sh600519 --type history --days 30
# Get 5-minute bars for today (if market open)
baostock --symbol sh600519 --type history --frequency 5
安全使用建议
Do not install or enable this skill yet. The package contains several inconsistencies and a concrete risk: index.ts runs a shell command by concatenating user-supplied arguments into child_process.exec and calls a hard-coded developer path (/Users/nico/...), which can lead to command injection or execution of an unexpected binary. Before installing, ask the maintainer to: 1) fix skill.json to point to existing entry points and remove stale developer paths; 2) make index.ts invoke the included Python script (scripts/baostock_cli.py) or use a safe child_process.spawn with an args array (no shell concatenation) and proper escaping; 3) narrow file-system permissions (avoid broad read/write to ~/.openclaw/workspace/** unless strictly needed); 4) provide an install spec or clear instructions that match the actual files; and 5) re-run a security review. If you must test, run it in an isolated environment (VM or container) and do not grant it access to sensitive workspaces or credentials.
功能分析
Type: OpenClaw Skill
Name: baostock-skill
Version: 1.0.0
The skill contains a critical command injection vulnerability in index.ts, where user-provided inputs (symbol, type, etc.) are concatenated directly into a shell command via child_process.exec without any sanitization. Additionally, index.ts uses a hardcoded absolute path (/Users/nico/...) which is a significant configuration flaw. While the Python backend (scripts/baostock_cli.py) appears to legitimately interface with the BaoStock API, the insecure execution wrapper poses a high risk of arbitrary code execution if used with untrusted input.
能力评估
Purpose & Capability
The SKILL.md and scripts claim to run a local CLI (baostock) or the included Python CLI (scripts/baostock_cli.py), but index.ts calls a hard-coded absolute path (/Users/nico/.openclaw/workspace/skills/baostock-skill/baostock) that is not part of the bundle. skill.json's main/scripts entries reference non-existent files (scripts/baostock_interface.py, scripts/query_stock.py), indicating inconsistent packaging and leftover developer paths. These mismatches are not proportional to the stated purpose and suggest sloppy packaging or misconfiguration.
Instruction Scope
SKILL.md suggests invoking a CLI; the included Python CLI looks reasonable. However, index.ts builds a shell command by concatenating unsanitized input into an exec() call (args like --symbol ${symbol} are inserted without escaping). This permits command injection if symbol/type/etc. contain shell metacharacters. index.ts also invokes an executable at an absolute path rather than the included script, which could execute an attacker-controlled binary if that path is created. skill.json grants read/write to ~/.openclaw/workspace/** which could expand the scope of what the skill can access.
Install Mechanism
There is no install spec (instruction-only), which is low risk in principle. The SKILL.md asks users to pip install baostock/pandas. No remote downloads or archive extraction are present in the package. However, the package metadata lists dependencies and requirements and references missing files, indicating packaging errors that should be resolved before trusting the skill.
Credentials
The skill requests no environment variables, which is appropriate. But skill.json requests broad file-system permissions (read/write on ~/.openclaw/workspace/**). Given the hard-coded developer path and exec usage, those permissions are disproportionate and could allow the skill to read or modify unrelated workspace files or caches. The code itself doesn't require secrets, but the broad file permissions increase risk.
Persistence & Privilege
The skill does not set always:true and does not request elevated platform privileges. That is appropriate. However, skill.json's declared file-system permissions provide a persistent capability to read/write the OpenClaw workspace; combined with the exec and path issues this is noteworthy but not an automatic privilege escalation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install baostock-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/baostock-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Local skill registration
元数据
常见问题
Baostock Skill 是什么?
Query Chinese A-share market data using BaoStock. Use when user asks for stock quotes, historical K-line, fundamentals, or market analysis. Supports real-tim... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 118 次。
如何安装 Baostock Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install baostock-skill」即可一键安装,无需额外配置。
Baostock Skill 是免费的吗?
是的,Baostock Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Baostock Skill 支持哪些平台?
Baostock Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Baostock Skill?
由 liyico(@liyico)开发并维护,当前版本 v1.0.0。
推荐 Skills