← 返回 Skills 市场
255
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nidhov01-stock-analysis
功能描述
Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock sco...
安全使用建议
This skill largely implements what it claims (stock/crypto analysis, hot scanner, watchlists), but there are red flags you should consider before installing:
- Do not grant Full Disk Access or copy browser cookies just to enable Twitter features. Instead, prefer creating API credentials via official developer access if you need social data; copying cookies is risky and can expose other accounts.
- Inspect the 'uv' brew formula before installing. Confirm it is the tool you expect (or run the Python scripts directly with python3 in a controlled environment).
- The repository references optional notification integrations (Feishu, Telegram, etc.) but does not declare required env vars — check each script for where it expects tokens and where it would send data (webhook URLs). Avoid putting secrets in plaintext .env files in your home directory.
- Run the code in an isolated environment (VM or container) and audit outgoing network calls before giving it persistent access or cron jobs. Monitor what endpoints the scripts contact and ensure they are legitimate (Yahoo, CoinGecko, Google News, SEC, approved APIs).
- If you only need basic analysis, run scripts without optional integrations (use --no-social / --fast flags) to avoid the parts that require extra credentials.
If you want, I can: (1) show the specific files that attempt to read environment variables or cookies, (2) help inspect the brew formula for 'uv', or (3) produce a short checklist to harden running this skill (containerization, least-privilege, secrets handling).
功能分析
Type: OpenClaw Skill
Name: nidhov01-stock-analysis
Version: 1.0.0
The skill bundle contains hardcoded Feishu (Lark) recipient IDs (e.g., 'ou_f1a29f8d231d21d113acbea658fc45fe') in scripts/daily_review_auto.py and scripts/send_feishu_review.py, which would direct the user's private portfolio data and market reports to a specific external account. While likely a developer oversight from a personal automation setup, this poses a significant data exfiltration risk. Furthermore, the skill requires users to store sensitive Twitter session tokens (AUTH_TOKEN, CT0) in a .env file and uses subprocess.run to execute the 'bird' CLI in scripts/hot_scanner.py and scripts/rumor_scanner.py, which are high-risk behaviors for a generic skill bundle.
能力评估
Purpose & Capability
The repository contains a large Python-based analysis tool (many scripts) that matches the stated purpose (Yahoo Finance-based analysis, hot scanner, watchlists, portfolio). However the declared runtime requirement is only a single binary 'uv' (installed via a brew formula), while most scripts are Python and are also run with python3 in the docs. Requiring 'uv' for a Python CLI wrapper is unusual but plausible if 'uv' is a runner; it's worth verifying the brew formula before installing.
Instruction Scope
SKILL.md and docs instruct users to obtain Twitter/X auth by extracting browser cookies (AUTH_TOKEN and CT0) and explicitly recommend granting Terminal 'Full Disk Access' on macOS to read browser state. Those steps request access to highly sensitive data (browser cookies) and broaden the skill's runtime privileges beyond what is needed for stock analysis. The docs also suggest cron jobs and writing logs (including /var/log/hot_scanner.log), and reference storing portfolios/watchlists under the user's home directory — this scope of file access and instructions to harvest cookies are concerning.
Install Mechanism
The only formal install spec is a brew formula for 'uv'. No remote downloads, archives, or obscure URLs are present in the install spec, which is lower risk than arbitrary URL installs. That said, 'uv' is not a commonly-known Python runtime and you should inspect the brew formula to confirm what it installs and whether it runs arbitrary code or downloads further artifacts.
Credentials
The registry metadata declares no required environment variables, but the documentation and scripts clearly reference multiple optional secrets (Twitter/X tokens AUTH_TOKEN & CT0 for bird CLI, possible webhook tokens for Feishu/Telegram/other notifications). Those optional credentials are not declared in requires.env. Instructions that encourage extracting browser cookies to populate these env vars are disproportionate and risky. Also the project references an SEC identity email and suggests EDGAR calls; these are less sensitive but indicate external-data queries that may require contact info or rate-limit handling.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does persist user data into ~/.clawdbot/skills/stock-analysis (portfolios.json, watchlist.json) and suggests cron automation and log files (including /var/log paths). Storing tokens in .env or adding cron jobs increases persistence and blast radius if credentials are present. Autonomous invocation (model invocation enabled) is the platform default; combined with the other concerns (cookie extraction, undeclared secrets) that raises the potential impact.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nidhov01-stock-analysis - 安装完成后,直接呼叫该 Skill 的名称或使用
/nidhov01-stock-analysis触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Fork - 2026.3.16
元数据
常见问题
Stock Analysis 是什么?
Analyze stocks and cryptocurrencies using Yahoo Finance data. Supports portfolio management, watchlists with alerts, dividend analysis, 8-dimension stock sco... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 255 次。
如何安装 Stock Analysis?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nidhov01-stock-analysis」即可一键安装,无需额外配置。
Stock Analysis 是免费的吗?
是的,Stock Analysis 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Stock Analysis 支持哪些平台?
Stock Analysis 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Stock Analysis?
由 nidhov01(@nidhov01)开发并维护,当前版本 v1.0.0。
推荐 Skills