← 返回 Skills 市场

Stock Heat Rank

Name: Stock Heat Rank
Author: n1e

作者 n1e · GitHub ↗ · v1.0.3 · MIT-0

cross-platform ⚠ suspicious

182

总下载

当前安装

版本数

在 OpenClaw 中安装

/install stock-heat-rank

功能描述

[Go语言版] 获取A股市场实时热度排名TOP50。聚合问财、雪球、东方财富三大平台人气榜单，计算复合热度分数。当用户需要查询A股热门股票、实时人气排名、市场关注度排行、涨停板热度分析时使用此技能。支持多平台热度对比，发现市场热点股票。

安全使用建议

This skill appears to implement the stated feature (aggregating popularity lists and computing a composite heat score), but there are a few things to consider before installing: - Node.js/npm are required at runtime: the Go program execs 'node lib/hexin_v.js' and SKILL.md instructs running 'npm install' in lib. The registry metadata incorrectly claims no required binaries — make sure you have Node 18+ and npm available before running. - The bundled lib/hexin_v.js is large, minified/obfuscated, and is executed locally. The file is intended to generate a Hexin‑V request header for Wencai; if you are uncomfortable executing minified third‑party JS, review the file line-by-line or run the tool in an isolated environment (container or VM). You can also run network capture (tcpdump/Wireshark) during a test run to verify it only contacts the expected sites. - npm dependency 'canvas' may require native libraries (libcairo, etc.). Expect extra system-level dependencies when running 'npm install'. - The skill performs network requests to public platforms (iwencai, xueqiu, eastmoney). It does not request credentials, but scraping may be brittle and could trigger anti-bot protections. Avoid running as root; test in a sandbox and inspect network traffic if you need to be cautious about hidden endpoints. - If you want higher assurance: 1) Inspect lib/hexin_v.js (or replace it with a reviewed implementation), 2) run the Go binary with the Node call stubbed or instrumented to print the generated header without sending requests, 3) run in an isolated environment and verify behavior before using on a production machine. Given the metadata/instruction mismatch and the execution of bundled minified JS, treat this skill as suspicious until you confirm the JS signer does only local computation and there are no unexpected network calls.

功能分析

Type: OpenClaw Skill Name: stock-heat-rank Version: 1.0.3 The skill bundle contains a heavily obfuscated JavaScript file (`lib/hexin_v.js`) which is required for generating API signatures. While the documentation claims this is extracted from official frontend code to bypass anti-scraping measures, the high level of obfuscation makes it impossible to verify if it contains hidden malicious logic. Furthermore, `main.go` uses `os/exec` to run this script via Node.js, which is a risky pattern. Although the behavior aligns with the stated purpose of scraping stock data, the presence of a large 'black box' execution payload is a significant security risk.

能力评估

ℹ Purpose & Capability

The name/description (aggregate Wencai, Xueqiu, Eastmoney and compute TOP50) matches what the code does: the Go program fetches data from those sites and computes a composite score. However the skill metadata claims 'required binaries: none' and 'required env vars: none', while runtime actually depends on Node.js/npm (the Go code execs node to run lib/hexin_v.js and SKILL.md instructs running 'npm install' in lib). This is an incoherence between declared requirements and actual needs.

ℹ Instruction Scope

SKILL.md instructs installing JS deps and running the Go program; instructions do not ask to read unrelated local files or exfiltrate secrets. The runtime calls out to the three platforms (Wencai, Xueqiu, Eastmoney) — expected. The Go code runs a local Node script (lib/hexin_v.js) via exec.Command('node', ...), and makes HTTP requests to the target sites. The instructions claim hexin_v.js does no network I/O and only performs local signature generation; the included JS appears to set up a JSDOM environment and generate a header, but it is large/minified and partly obfuscated, which makes quick manual review difficult. The instructions are otherwise scoped to the task.

⚠ Install Mechanism

There is no formal install spec in registry metadata (instruction-only), but SKILL.md requires running 'npm install' in lib (jsdom & canvas) and running node. The code bundle includes a large minified JS (lib/hexin_v.js) extracted from a frontend; executing third-party/minified JS is higher risk because behavior is harder to audit. The included package.json is from npm (jsdom and canvas) — these are known packages but 'canvas' often requires native libs and can complicate install. No external download URLs are used, and Go build script is local. The main concern is executing bundled, minified JS with node that wasn't declared in required binaries.

⚠ Credentials

The skill declares no required credentials or config paths and the code does not request API keys. That is appropriate for a web-scraping aggregator. However it does execute local binaries (node) and spawns a child process — the metadata omission of Node/npm is a proportionality mismatch that could mislead users about what the skill will execute. No other environment variables or secrets are accessed in the code.

✓ Persistence & Privilege

The skill is not always:true, does not request elevated/persistent privileges, and does not modify other skills or system-wide settings. Build.sh creates artifacts in a local dist/ directory — normal for building a CLI. There is no evidence it writes persistent agent configuration or attempts to enable itself globally.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install stock-heat-rank
安装完成后，直接呼叫该 Skill 的名称或使用 /stock-heat-rank 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

- Indicate that this is a Go language version in both the Chinese and English descriptions. - Add "Go版本/Go Version" label to the title and throughout the documentation, clarifying the implementation language. - No changes to algorithm or functionality; documentation update only.

v1.0.2

- Added full English translations for all major sections alongside existing Chinese content in the documentation. - Introduced an English description_en field in metadata. - Improved table headers and output examples with bilingual (Chinese/English) labels. - Enhanced readability for international users by presenting execution steps, algorithm explanations, troubleshooting, and platform notes in both Chinese and English. - No functional or logic changes; documentation update only.

v1.0.1

- 优化了执行和运行文档说明，增加了 Go 直接运行与构建详细步骤。 - 默认推荐使用 `go run main.go` 直接运行，无需编译，简化启动流程。 - 项目结构和依赖安装步骤表述更清晰。 - 新增 hexin_v.js 功能和安全说明，提升透明度。 - 原有平台说明、故障排查等内容更为简洁易读。

v1.0.0

A股实时热度排名 skill 初始发布，支持多平台热榜聚合。 - 聚合问财、雪球、东方财富三大榜单，统一复合热度排名TOP50 - 创新设计复合热度打分，反映A股市场股票实时关注度 - 支持多平台热度对比及市场热点股票发现 - 多平台跨系统可执行文件，CLI 支持多种输出格式 - 提供详尽安装、运行与故障排查说明

元数据

Slug stock-heat-rank

版本 1.0.3

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题

Stock Heat Rank 是什么？

[Go语言版] 获取A股市场实时热度排名TOP50。聚合问财、雪球、东方财富三大平台人气榜单，计算复合热度分数。当用户需要查询A股热门股票、实时人气排名、市场关注度排行、涨停板热度分析时使用此技能。支持多平台热度对比，发现市场热点股票。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 182 次。

如何安装 Stock Heat Rank？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install stock-heat-rank」即可一键安装，无需额外配置。

Stock Heat Rank 是免费的吗？

是的，Stock Heat Rank 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Stock Heat Rank 支持哪些平台？

Stock Heat Rank 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Stock Heat Rank？

由 n1e（@n1e）开发并维护，当前版本 v1.0.3。