← 返回 Skills 市场
67
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install stock-price-query-mx
功能描述
实时股票行情查询,支持 A 股、港股、美股及大盘指数,支持批量查询。无需 API Key。Real-time stock & index quotes for A-shares, HK & US markets. Batch supported.
安全使用建议
This skill appears to implement real-time stock queries, but there are inconsistencies and risky behaviors you should consider before installing:
- The README claims 'no API Key', yet the Python code tries to use EM_API_KEY (from env) or reads /root/.openclaw/workspace/vault/credentials/eastmoney.json. That means it may attempt to access platform-stored credentials without declaring it. Do not install unless you accept that behavior.
- The script invokes another skill's script at /root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py and then reads Excel files that the other script outputs. That cross-skill access can read or process files outside this skill and could be used to access sensitive workspace data. Ask the author why this cross-skill call is necessary and request that the required functionality be included in this skill or replaced by direct, documented API calls.
- The skill uses pandas and reads Excel files but lists only python3 as a required binary. Verify that the runtime environment has needed Python packages, or that a safe install plan is provided.
- If you must use it: run the skill in a restricted/sandboxed agent environment that prevents access to /root/.openclaw/workspace and the vault, or inspect the external get_data.py file and the eastmoney.json vault contents first. Prefer versions that use only public HTTP APIs (qt.gtimg.cn) without accessing platform vaults or other skills.
What would change this assessment: if the publisher provides an explanation showing the mx-finance-data get_data.py is bundled and audited as part of this skill (not an unaudited external script), if the skill is updated to stop reading platform vault paths and instead documents required API keys explicitly, or if the code is modified to only use public APIs and to declare required dependencies (pandas) clearly.
功能分析
Type: OpenClaw Skill
Name: stock-price-query-mx
Version: 1.1.4
The skill is classified as suspicious due to its practice of accessing sensitive credential files from a hardcoded path (`/root/.openclaw/workspace/vault/credentials/eastmoney.json`) and executing scripts from an external skill directory (`mx-finance-data`) using `subprocess.run`. While `scripts/stock_query.py` implements regex-based input validation to prevent simple shell injection, the hardcoded reliance on specific filesystem structures and cross-skill execution increases the attack surface and potential for unauthorized data access within the OpenClaw environment. The script also interacts with the external domain `qt.gtimg.cn` for data retrieval.
能力标签
能力评估
Purpose & Capability
The description claims 'no API Key' and 'zero dependencies', but the included scripts try to obtain an EM_API_KEY (from env or from /root/.openclaw/workspace/vault/credentials/eastmoney.json) and call an external mx-finance-data script under /root/.openclaw/workspace/skills/.... Accessing a vault file and another skill's scripts is not required for a simple public-API stock query and does not align with the 'no API Key / zero-dependency' claim.
Instruction Scope
SKILL.md instructs running the included script in the skill dir, but the script's runtime behavior expands scope: it spawns subprocesses that run /root/.openclaw/workspace/skills/mx-finance-data/scripts/get_data.py, parses stdout to find file paths and then reads Excel files and (optionally) pandas output. The script also tries to read a credential file from the platform vault. These actions access platform-internal paths and other skills' artifacts beyond the described functionality.
Install Mechanism
No install spec (instruction-only) so nothing is downloaded at install time — lower install risk. However, runtime imports (pandas, reading Excel) are required but not declared, so execution may fail or pull in packages at runtime. The use of subprocess to execute other workspace scripts increases runtime dependencies and risk.
Credentials
The skill declares no required env vars, but the code reads EM_API_KEY from the environment and, if absent, attempts to read a credentials JSON from the platform vault path. Requesting or accessing an internal vault file and passing EM_API_KEY into subprocesses is disproportionate to a 'no-API-key' stock price tool and raises risk of secret access/exfiltration.
Persistence & Privilege
always:false (good), but the script directly invokes another skill's script via an absolute path in the shared workspace and reads files from the workspace/vault. While it doesn't set 'always' or alter other skills' configs, accessing other skills' code and platform credential locations crosses containment boundaries and grants more privilege than expected for a query helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install stock-price-query-mx - 安装完成后,直接呼叫该 Skill 的名称或使用
/stock-price-query-mx触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.4
修复港股数据延迟问题:港股改用妙想数据服务(实时),A 股/美股继续使用腾讯 API。混合数据源策略确保所有市场数据实时准确。
元数据
常见问题
Stock Price Query MX 是什么?
实时股票行情查询,支持 A 股、港股、美股及大盘指数,支持批量查询。无需 API Key。Real-time stock & index quotes for A-shares, HK & US markets. Batch supported. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 67 次。
如何安装 Stock Price Query MX?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install stock-price-query-mx」即可一键安装,无需额外配置。
Stock Price Query MX 是免费的吗?
是的,Stock Price Query MX 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Stock Price Query MX 支持哪些平台?
Stock Price Query MX 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Stock Price Query MX?
由 LiuLi(@liuli4)开发并维护,当前版本 v1.1.4。
推荐 Skills