← 返回 Skills 市场
daguniang

Stock Tools

作者 daguniang · GitHub ↗ · v1.0.6 · MIT-0
cross-platform ⚠ suspicious
456
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install stock-tools
功能描述
自选股管理与A股行情对话能力。Use when the user asks in natural language to add/remove/list/clear watchlist stocks, or asks about a stock / watchlist行情、涨跌幅、走势、表现、概览,例如“添加 0...
安全使用建议
This skill is internally consistent with its description and uses only a public quote endpoint; it does not request secrets. However, the stock management CLI allows a --file override that can point at any path the process can access — which could be used to read or overwrite sensitive files if the agent is instructed to do so. Before installing, consider: (1) only enable this skill in a sandboxed agent environment where the agent process has limited filesystem access, (2) review and/or modify stock_tools.js to disallow absolute paths or restrict paths to a designated data directory, and (3) if you don't need the CLI's --file flexibility, remove or harden that option. Also note a minor runtime risk: fetch_quote.js attempts to decode GBK via TextDecoder('gbk'), which may fail in some Node environments (functional bug, not a security issue).
功能分析
Type: OpenClaw Skill Name: stock-tools Version: 1.0.6 The skill provides legitimate stock watchlist management and quote fetching via Sina Finance. However, `scripts/stock_tools.js` contains a path traversal vulnerability because it accepts an arbitrary file path via the `--file` command-line argument without sanitization or directory restriction. While the instructions in `SKILL.md` only reference a safe default path (`stocks-data/stocklist.txt`), the underlying script's capability could be exploited by a malicious user to trick the agent into reading or overwriting sensitive system files.
能力评估
Purpose & Capability
Name/description, SKILL.md, and included scripts align: fetch_quote.js queries the public Sina quote API and stock_tools.js manages a local watchlist file. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md confines file storage to a workspace path (stocks-data/stocklist.txt) and instructs use of the included node scripts. The code implements exactly that. However, the stock_tools.js CLI accepts a --file argument permitting arbitrary file paths; the documentation does not warn about this override, which could be misused to access non-watchlist files.
Install Mechanism
No install spec or external downloads. The skill is instruction-only with two bundled JS scripts — nothing is fetched at install time and no external packages are automatically installed.
Credentials
No environment variables, credentials, or config paths are required. The network usage (https calls to hq.sinajs.cn) matches the stated purpose.
Persistence & Privilege
The skill writes to and reads from the filesystem (stocks-data/stocklist.txt) as intended. But because the CLI supports --file to point at arbitrary paths, an agent invoking this skill could read or overwrite arbitrary files that the skill process has access to. Although always:false, autonomous invocation plus this file-override capability raises risk of accidental or intentional data exposure.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install stock-tools
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /stock-tools 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.6
Make off-hours/invalid quotes human-friendly; show prevClose when realtime price unavailable
v1.0.5
Default short output to avoid truncation; add --json mode; filter invalid quotes; ignore .DS_Store
v1.0.4
Add lightweight quote fetcher and update skill guidance
v1.0.3
Tweak prompts in SKILL.md
v1.0.2
Remove: 优先使用大模型回复行情相关的描述
v1.0.1
Security-friendly 1.0.1: local script handles watchlist persistence only; runtime stocklist data removed from release package; stock quotes remain model-first.
v1.0.0
Initial 1.0.0 release: persistent watchlist storage, model-first stock Q&A, and fresh quote fetch rules.
元数据
Slug stock-tools
版本 1.0.6
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 7
常见问题

Stock Tools 是什么?

自选股管理与A股行情对话能力。Use when the user asks in natural language to add/remove/list/clear watchlist stocks, or asks about a stock / watchlist行情、涨跌幅、走势、表现、概览,例如“添加 0... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 456 次。

如何安装 Stock Tools?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install stock-tools」即可一键安装,无需额外配置。

Stock Tools 是免费的吗?

是的,Stock Tools 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Stock Tools 支持哪些平台?

Stock Tools 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Stock Tools?

由 daguniang(@daguniang)开发并维护,当前版本 v1.0.6。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论