← 返回 Skills 市场
Vnstock Free Expert
作者
Nguyễn Đức Thành
· GitHub ↗
· v1.0.2
609
总下载
0
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install vnstock-free-expert
功能描述
Runs an end-to-end vnstock workflow for free-tier-safe Vietnam stock valuation, ranking, and API operations with strict rate-limit control; used when users r...
安全使用建议
This package appears to implement a legitimate vnstock valuation pipeline, but take the following precautions before installing or running it:
- Inspect the packaged scripts locally (scripts/*.py). They will make network requests and automatically load a .env file for API keys—do not run them with high-privilege or production credentials.
- The registry did not declare required env vars, yet the skill reads VNSTOCK_API_KEY and references other external API keys. Only put a minimally privileged, test-scoped API key in .env, or run without keys to stay in guest limits.
- Manually open SKILL.md in a text editor that shows invisible characters and remove/verify any control/unicode-control characters; they can affect prompt processing.
- Run the code in an isolated environment (container or VM) so any unexpected network activity is contained; monitor outbound connections during first runs.
- If you plan to use connectors (FMP, DNSE, Binance) provide separate scoped keys per connector and verify where each script sends data. Consider grepping scripts for hard-coded endpoints or upload URLs.
- If you are not comfortable reviewing code, prefer a well-known upstream vnstock package from PyPI/GitHub instead of this unknown-source bundled skill.
Confidence in this assessment is medium because the majority of files and instructions are coherent with the claimed purpose, but the missing declared env vars and hidden unicode-control characters create uncertainty that requires manual review.
功能分析
Type: OpenClaw Skill
Name: vnstock-free-expert
Version: 1.0.2
The skill is designed for legitimate financial analysis using the `vnstock` library. However, the `scripts/invoke_vnstock.py` script allows for highly dynamic invocation of arbitrary Python classes and methods with user-controlled arguments. While intended for broad `vnstock` feature coverage, this capability presents a significant Remote Code Execution (RCE) vulnerability if an AI agent were to be prompted to execute malicious class/method combinations and arguments via this script. There is no evidence of intentional malicious behavior within the skill's code or documentation, but the inherent risk of this dynamic execution makes it suspicious.
能力评估
Purpose & Capability
The name/description match the included scripts and documentation: the skill is a vnstock-based valuation/ranking pipeline and the scripts (build_universe, collect_market_data, collect_fundamentals, score_stocks, generate_report, run_pipeline, invoke_vnstock) are consistent with that purpose. Minor mismatch: requires.env in registry lists no required environment variables, but the SKILL.md repeatedly documents and expects a VNSTOCK_API_KEY in a local .env and references many optional external API keys (FMP, DNSE, BINANCE, etc.). This is plausible for the stated purpose but the registry metadata should have declared these env requirements.
Instruction Scope
The SKILL.md gives a bounded, step-by-step workflow and enforces free-tier rate-limiting rules (good). It instructs the agent to read included reference docs and to load an optional .env file (VNSTOCK_API_KEY) and to save/reuse cached artifacts. That .env access is within the task (auth for vnstock) but the docs also list many other external connector API keys and show example commands with absolute local paths—these examples could confuse an agent into looking for user-local paths. The SKILL.md contains hidden unicode-control characters (prompt-injection signal) which may alter how an agent processes the instructions; this is suspicious and should be inspected.
Install Mechanism
There is no install spec (instruction-only), so nothing will be automatically downloaded or written by an install step. That reduces supply-chain risk. However, code files are packaged with the skill (scripts/...), so running those scripts will perform network operations; there is no separate installer that would fetch arbitrary binary artifacts.
Credentials
The registry metadata declares no required env vars, yet the runtime instructions and documentation expect VNSTOCK_API_KEY in a .env and reference many optional external API keys (FMP_API_KEY, DNSE_API_KEY, BINANCE_API_KEY/SECRET, etc.). The scripts are described as auto-loading .env keys. This mismatch is a red flag: the agent (or the included scripts) may read secrets from a local .env that the registry did not surface. Users should not provide broad credentials; keys should be scoped and tested in an isolated environment.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide settings. It documents creating outputs/outputs/* and caching artifacts within its own project directory, which is normal for a pipeline. Autonomous invocation is allowed (default), which is expected for skills and not flagged alone.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vnstock-free-expert - 安装完成后,直接呼叫该 Skill 的名称或使用
/vnstock-free-expert触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
vnstock-free-expert 1.0.2
- Minor update to agent configuration (agents/openai.yaml) with no changes to skill logic or documentation.
- No changes to usage, API, scripts, or user-facing behavior.
v1.0.1
- Added a required downstream handoff bundle specification for single-ticker or small-list deep dives, enabling output as a compact JSON for reuse by other skills.
- No changes to workflow, interface, or main script behavior.
- Documentation updated to describe JSON bundle contents and use cases for cross-skill integration.
v1.0.0
- Initial release of vnstock-free-expert for advanced, free-tier-safe Vietnam stock analysis.
- Implements strict rate-limit control and caching to stay within API free-tier constraints.
- Provides a complete end-to-end pipeline: universe building, data collection, scoring, report generation.
- Uses kbs as primary data source, with vci fallback; excludes tcbs; disables Screener API by default.
- Enforces required confidence rubric and clear reporting of coverage, risks, and missing data.
- Includes generic method invocation scripts for broader vnstock package access.
元数据
常见问题
Vnstock Free Expert 是什么?
Runs an end-to-end vnstock workflow for free-tier-safe Vietnam stock valuation, ranking, and API operations with strict rate-limit control; used when users r... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 609 次。
如何安装 Vnstock Free Expert?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vnstock-free-expert」即可一键安装,无需额外配置。
Vnstock Free Expert 是免费的吗?
是的,Vnstock Free Expert 完全免费(开源免费),可自由下载、安装和使用。
Vnstock Free Expert 支持哪些平台?
Vnstock Free Expert 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Vnstock Free Expert?
由 Nguyễn Đức Thành(@ndtchan)开发并维护,当前版本 v1.0.2。
推荐 Skills