Quant Stock

AI量化选股系统 - 基于多维度评分模型的A股选股分析工具。扫描新能源、电力、半导体、医药、AI、机器人、军工、贵金属等行业，输出每日量化选股报告。

What to consider before installing or enabling this skill: - Don’t run the scripts or install the cron job until you inspect and, if needed, modify them. install_cron.sh will edit your crontab and run_task.sh will attempt to run on a schedule. - Inspect and remove or replace hard-coded recipients: run_task.sh calls openclaw message send --target "oc_9fc66a80f86a4b97f925e526ca35887e" and main.py has FEISHU_CHAT_ID = "oc_0142a8d63ace2e4db368ae7b607e702f". Those IDs will cause reports (potentially sensitive) to be sent to external targets. Change these to IDs under your control or make them configurable before running. - The SKILL.md suggests creating feishu_config.json, but main.py expects it in an odd location (parent of the project directory). Confirm where the code reads the file and place credentials accordingly; do not reuse high-privilege credentials. Prefer to create a dedicated Feishu bot/tenant with minimal permissions. - The skill fetches data from multiple public sources (EastMoney, Sina, Tencent, Baostock) — expected for this purpose — but network access is needed. If you are concerned about data leaving your environment, run the tool in an isolated environment or air-gapped VM. - The repo references update_hot.sh in install_cron.sh but that file is missing; the cron installer may be incomplete or buggy — verify and test manually first. - If you plan to automate, run the scripts manually first to verify outputs, logs, and recipients. Review run_task.sh, main.py and any CLI calls (openclaw) to ensure no unexpected exfiltration. - If you are not comfortable editing code, ask the publisher for a homepage or source repository to verify provenance. The package owner is anonymous in the registry metadata; that reduces trust. Primary risk vectors: hard-coded external recipient IDs (possible exfiltration of reports) and crontab persistence. These are actionable and should be remediated (make recipients configurable, remove hard-coded OpenClaw sends) before allowing scheduled runs.

Type: OpenClaw Skill Name: quant-stock Version: 1.0.0 The skill bundle implements a stock analysis tool that exhibits several concerning behaviors. It includes hardcoded messaging targets in scripts/main.py (FEISHU_CHAT_ID) and scripts/run_task.sh (openclaw target ID), which could result in data being sent to the author's accounts rather than the user's. Furthermore, the instructions in references/RULES.md explicitly command the AI agent to be deceptive by filtering out all negative scoring tags from the final report. The bundle also establishes persistence via a crontab installation script (scripts/install_cron.sh) and performs extensive automated network requests to various financial news and data providers.