← 返回 Skills 市场
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股
作者
newhackerman
· GitHub ↗
· v1.4.0
· MIT-0
314
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install stock-analysis-best
功能描述
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股
安全使用建议
This skill appears to do what it says: fetch public market data, compute indicators, and produce downloadable HTML reports. Before installing or running it: 1) Run it in an isolated container or environment (do not bind the container port to a public host) because it launches a simple Python HTTP server on port 8888 that will expose the reports directory to the network if reachable. 2) Treat user-supplied inputs (company name / stock code) as untrusted: filenames are constructed without sanitization, which could allow path traversal or overwriting files — prefer safe names or validate/escape inputs. 3) Ensure the runtime has only expected tools (curl, jq, bc, python3) and that outbound network access is acceptable (the scripts call multiple public finance sites over HTTP/HTTPS). 4) If you need stricter privacy, modify generate-pdf-report.sh to bind the HTTP server to localhost only (python3 -m http.server --bind 127.0.0.1) or avoid starting a server and instead use the platform's file-download API. If you want me to, I can point out exact lines to harden (e.g., sanitize COMPANY_NAME, restrict server bind) or produce a patched generate-pdf-report.sh that is safer.
功能分析
Type: OpenClaw Skill
Name: stock-analysis-best
Version: 1.4.0
The skill bundle implements a high-risk feature by starting a background HTTP server on port 8888 using 'python3 -m http.server' in 'generate-pdf-report.sh' to serve generated reports. While this aligns with the stated purpose of providing downloadable reports, it opens an unauthenticated network port within the environment. Additionally, multiple scripts (e.g., 'analyze.sh', 'generate-pdf-report.sh', and 'fetch-research.sh') are highly vulnerable to shell command injection because they use unsanitized user inputs like stock codes and company names directly in shell commands and curl arguments. There is no evidence of intentional data exfiltration, but the combination of network exposure and critical injection vulnerabilities warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description (systematic investment analysis for A/H/US stocks) match the included scripts and templates: data fetching (multiple public finance sources), calculations, report generation and comparison. Required binaries and env/paths declared in SKILL.md (curl, jq, bc, python3, bash) align with the scripts' needs.
Instruction Scope
Runtime instructions and scripts are within the stated scope (fetch data, compute indicators, generate HTML/PDF, and serve reports). Two operational behaviors to note: (1) generate-pdf-report.sh launches python3 -m http.server on port 8888 and advertises direct download links — this exposes the reports directory over HTTP (serves all files in that directory) and may be reachable depending on container/network configuration; (2) filenames use user-supplied COMPANY_NAME without sanitization (e.g., ${COMPANY_NAME}_${STOCK_CODE}.html), which can enable path traversal or unexpected file creation if malicious input is provided. These are functional for the claimed feature but increase risk if the skill runs in a broad network context or with untrusted inputs.
Install Mechanism
No install spec; the package includes scripts and templates only. There are no downloads from third-party URLs or package installs embedded in an installer. This is lower risk than remote installs, but the skill includes executable scripts that will run when invoked.
Credentials
The skill requests no environment variables or external credentials. The dependencies (curl, jq, bc, python3) are reasonable for its functionality. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It starts a local HTTP server and writes files under its own directory (/app/skills/stock-analysis/reports/), which is normal for report generation. There is no evidence it modifies other skills or global configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install stock-analysis-best - 安装完成后,直接呼叫该 Skill 的名称或使用
/stock-analysis-best触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.0
**新增:支持自动生成可下载的 HTML/PDF 报告**
- 增加分析后自动生成 HTML 报告以及下载链接功能
- 新增 analyze-with-pdf.sh、generate-pdf-report.sh 脚本,实现一键生成和下载报告
- 报告可通过本地 HTTP 端口直接访问,方便浏览器预览与保存为 PDF
- 新增 reports/ 目录,自动保存各公司分析报告文件
- 数据缓存与报告生成一体化,提升用户体验
v1.3.0
Version 1.3.0 — Adds industry peer selection and smart suggestions.
- 新增同业优选提示功能:自动对比同行业公司,辅助发现更优投资标的
- 增强同业对比模块,新增综合评分与优选提示规则
- 补充脚本 compare-stocks.sh,实现自动同业对比分析
- 输出报告、模板与快速点评中集成同业优选提示信息
- 分析流程支持分析时自动获取、处理与输出优选提示
元数据
常见问题
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 是什么?
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 314 次。
如何安装 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install stock-analysis-best」即可一键安装,无需额外配置。
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 是免费的吗?
是的,对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 支持哪些平台?
对上市公司进行系统性投资价值分析,支持 A 股、港股、美股 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 对上市公司进行系统性投资价值分析,支持 A 股、港股、美股?
由 newhackerman(@newhackerman)开发并维护,当前版本 v1.4.0。
推荐 Skills