← 返回 Skills 市场
shinelp100

Stock Data Monorepo

作者 shinelp100 · GitHub ↗ · v1.2.5 · MIT-0
cross-platform ⚠ suspicious
63
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install stock-data-monorepo
功能描述
A 股数据查询技能集合,包含 4 个子技能:cn-stock-volume(成交量)、stock-top-gainers(涨幅排名)、ths-stock-themes(题材概念)、stock-theme-events(题材事件)。 **触发场景**: - 作为 stock-daily-report 的数据源依赖...
安全使用建议
What to check before installing or running this skill: - Review and run the scripts in a sandboxed environment (not on a production host). The code uses subprocess to call 'openclaw', 'npx', and 'node' — confirm those binaries exist and are trustworthy in your environment. - Inspect any subprocess invocations that interpolate strings (the code uses python -c and builds command strings in places). If you will pass untrusted input to the scripts, this can be a command-injection risk. - Note the scripts read/write files under your home directory (workspace, ~/.jvs/.openclaw, ~/Desktop, manual/). If you are uncomfortable with that, run from a separate user or container and change output paths. - The code attempts to read another skill's cache at a hardcoded path; verify you are okay with cross-skill file reads and that no sensitive data exists at that path. - Dependencies: SKILL.md lists pip packages (akshare, sentence-transformers, scikit-learn). Ensure you install them in an isolated virtualenv to avoid dependency conflicts. - If you plan to allow autonomous agent invocation, be cautious: the scripts try to call platform tooling to access a 'browser' tool. If the platform CLI were compromised, this skill could trigger broader actions — consider keeping autonomous invocation disabled until you vet the toolchain. If you want, I can highlight exact lines of concern (subprocess calls, hardcoded cache paths, file-write locations) so you or a developer can inspect them before running.
功能分析
Type: OpenClaw Skill Name: stock-data-monorepo Version: 1.2.5 The skill bundle contains several security vulnerabilities and poor development practices that pose a risk to the host environment. Specifically, 'cn-stock-volume/scripts/fetch_data.py' exhibits a potential code injection vulnerability where a URL is unsafely interpolated into a Python command string executed via 'subprocess.run'. Additionally, multiple scripts, including 'generate_report.py' and 'run_full_analysis.py', use hardcoded absolute paths tied to a specific user environment ('/Users/shinelp100/...') and write files directly to the user's Desktop ('~/Desktop/A 股每日复盘'). While these behaviors appear to be unintentional flaws or developer oversights rather than intentional malware, the combination of intrusive file system access and unsafe command execution warrants a suspicious classification.
能力评估
Purpose & Capability
Name/description match the included code: the repo contains four stock-related sub-skills (index numbers, top gainers, themes, theme-events). Declared Python/browser requirements and pip packages (akshare, sentence-transformers, scikit-learn) align with scraping and NLP/clustering tasks in the files (e.g., cluster_themes.py, fetch_themes.py). Minor inconsistency: top-level registries reported 'no install spec', but SKILL.md contains an 'install' metadata block listing pip packages — the user should ensure dependencies will actually be installed or installed manually.
Instruction Scope
Runtime instructions and scripts instruct the agent/user to run Python scripts and to use a 'browser' tool. Several scripts (browser_fetch.py, fetch_data.py) run subprocesses that invoke the OpenClaw CLI (openclaw browser / web-fetch) and even try alternative execution paths (npx, node). fetch_data.py also attempts to read a hardcoded cache file path belonging to another skill (.jvs/.openclaw/workspace/skills/fetch-index-data/cache/2026-03-20.json). The scripts write outputs to user Desktop and workspace. These instructions extend beyond simple HTTP requests (they attempt to call platform tooling and access other skills' files), so review is advised.
Install Mechanism
Registry metadata says 'no install spec' but SKILL.md includes an 'install' array listing pip packages (akshare, sentence-transformers, scikit-learn). The package list is reasonable for the claimed functionality. No remote download/install from arbitrary URLs was observed. Because the repository is code-heavy (many Python scripts), the practical install step is likely 'pip install' + running scripts — confirm how your agent/host will install those pip deps.
Credentials
The skill declares no required environment variables or credentials, which matches the description. However, scripts access filesystem locations (Path.home(), ~/.jvs/.openclaw/workspace, user Desktop, and a 'manual' directory) and attempt to read another skill's cache file. Reading other skill directories is unexpected for a single-purpose data fetcher and could expose or reuse unrelated data. The skill also spawns subprocesses that rely on a platform CLI (openclaw/npx/node) and manipulates PATH when invoking them — this increases the runtime environment surface and should be checked.
Persistence & Privilege
The skill does not request 'always: true', does not declare privileged persistent presence, nor does it modify other skills' configurations. It writes output files to standard user paths (workspace, Desktop) and creates 'manual/' files — expected for a reporting tool. There is some cross-skill access (reading a specific cache file) but no evidence the skill auto-enables itself or claims elevated platform privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install stock-data-monorepo
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /stock-data-monorepo 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.5
更新 stock-top-gainers 和 ths-stock-themes 元数据,新增 browser 脚本
v1.2.4
v1.2.2: 修复非交易日数据处理,新增 stock-top-gainers 完整脚本,完善 stock-theme-events 分析功能
v1.2.3
v1.2.2: 修复非交易日数据处理,新增 stock-top-gainers 完整脚本,完善 stock-theme-events 分析功能
元数据
Slug stock-data-monorepo
版本 1.2.5
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Stock Data Monorepo 是什么?

A 股数据查询技能集合,包含 4 个子技能:cn-stock-volume(成交量)、stock-top-gainers(涨幅排名)、ths-stock-themes(题材概念)、stock-theme-events(题材事件)。 **触发场景**: - 作为 stock-daily-report 的数据源依赖... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 63 次。

如何安装 Stock Data Monorepo?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install stock-data-monorepo」即可一键安装,无需额外配置。

Stock Data Monorepo 是免费的吗?

是的,Stock Data Monorepo 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Stock Data Monorepo 支持哪些平台?

Stock Data Monorepo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Stock Data Monorepo?

由 shinelp100(@shinelp100)开发并维护,当前版本 v1.2.5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论