← 返回 Skills 市场
fund-monitor
作者
hongjiahao371-pixel
· GitHub ↗
· v1.0.0
· MIT-0
587
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install fund-monitor
功能描述
基金监控Skill - 获取基金净值、涨跌数据,支持批量查询和监控
使用说明 (SKILL.md)
基金监控Skill
能力概述
本Skill用于获取基金净值、涨跌数据,支持:
- 单只基金查询
- 批量基金查询
- 持仓组合分析
- 每日涨跌播报
使用方法
1. 查询单只基金
查询 017745 基金的今日数据
2. 批量查询
查询以下基金的今日涨跌:017745, 002834, 018412
3. 持仓分析(需要提供持仓数据)
分析我的基金持仓:017745 27366元, 002834 15815元
注意事项
- 免费数据源可能有延迟
- 批量查询有频率限制
- 需要网络连接
- 支持A股公募基金(场外基金)
安全使用建议
This skill mostly does what it says (fetches fund data), but the package contains undeclared behaviour that posts reports to a Feishu document using hard-coded credentials. Before installing or running it:
- Inspect and understand the hard-coded strings: DOC_TOKEN, APP_ID, APP_SECRET appear in append-fund.js and update-feishu.js. These allow the skill to authenticate to open.feishu.cn and append content to a remote doc.
- Be aware scripts read local files (e.g., /Users/js/.openclaw/workspace/fund_data.json and ~/.openclaw/workspace/skills/fund-monitor). That could expose local data to the Feishu endpoint when run.
- If you need Feishu integration, prefer replacing hard-coded credentials with environment variables you control, and limit the app's permissions; do not use the embedded secrets.
- Do not run run-fund-report.sh or update scripts until you confirm what will be sent and to which account; run the fund-monitor scripts in a sandboxed environment first and inspect outputs.
- Ask the publisher for clarification: why Feishu credentials are embedded, who owns the Feishu doc, and whether the behaviour should be documented in SKILL.md.
- If you cannot verify the origin or purpose of the embedded credentials, avoid installing or executing the reporting scripts, and consider removing the remote-posting code or replacing credentials with your own securely stored values.
功能分析
Type: OpenClaw Skill
Name: fund-monitor
Version: 1.0.0
The skill bundle contains hardcoded sensitive credentials, including a Feishu APP_ID and APP_SECRET, in both append-fund.js and update-feishu.js. There is a significant file type mismatch where append-fund.js contains Python code despite its extension, and multiple scripts reference hardcoded absolute file paths tied to a specific local user environment (/Users/js/). While the logic appears aligned with the stated purpose of fund monitoring, the inclusion of active API secrets and environment-specific paths is a high-risk practice that could lead to credential exposure or execution failures.
能力评估
Purpose & Capability
The Python scripts fetch fund data from expected public sources (eastmoney) which matches the skill description. However, multiple files (append-fund.js, update-feishu.js, run-fund-report.sh) implement automatic posting to a Feishu document using hard-coded DOC_TOKEN, APP_ID, and APP_SECRET. SKILL.md does not mention Feishu integration or automatic posting, so these external-reporting capabilities are undeclared and disproportionate to the stated usage examples.
Instruction Scope
SKILL.md shows only query and analysis commands and mentions '每日涨跌播报' but does not instruct the agent to read local files or push data to Feishu. The included scripts (append-fund.js, update-feishu.js, run-fund-report.sh) read local data (/Users/js/.openclaw/workspace/fund_data.json and workspace paths) and send parsed results to open.feishu.cn. That means data produced or present on the host may be transmitted to an external endpoint not described in the runtime instructions.
Install Mechanism
There is no network download/install step included (instruction-only with bundled code files). No external install URLs or archive extraction are used. The presence of multiple runnable scripts is expected for a skill with local reporting behavior.
Credentials
The skill metadata declares no required environment variables or credentials, but the code embeds plaintext Feishu credentials (DOC_TOKEN, APP_ID, APP_SECRET) in both append-fund.js and update-feishu.js. Embedding credentials rather than declaring them as required env vars is inconsistent and risky. The scripts will use these credentials to authenticate to Feishu and append data to a remote document.
Persistence & Privilege
The skill is not configured with always:true and does not request elevated platform privileges. However, run-fund-report.sh and run_fund.sh are present and, if executed by the agent or scheduled externally, will cause automatic remote updates. Autonomous model invocation is allowed by default (not a specific issue unless combined with the other red flags).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install fund-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/fund-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of fund-monitor skill.
- 提供基金净值及涨跌幅查询,支持单只或批量查询
- 支持基金持仓组合分析
- 可进行每日基金涨跌播报
- 使用需注意数据延迟与查询频率限制
- 支持A股公募基金(场外基金)
元数据
常见问题
fund-monitor 是什么?
基金监控Skill - 获取基金净值、涨跌数据,支持批量查询和监控. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 587 次。
如何安装 fund-monitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install fund-monitor」即可一键安装,无需额外配置。
fund-monitor 是免费的吗?
是的,fund-monitor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
fund-monitor 支持哪些平台?
fund-monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 fund-monitor?
由 hongjiahao371-pixel(@hongjiahao371-pixel)开发并维护,当前版本 v1.0.0。
推荐 Skills