← 返回 Skills 市场
Wyckoff Agent Skill
作者
YoungCan-Wang
· GitHub ↗
· v1.0.1
· MIT-0
89
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wyckoff-agent-skill
功能描述
Wyckoff A-share analysis agent with full CLI integration. Detects local CLI installation, guides users through setup (install → register → configure data sou...
安全使用建议
This skill's functionality (Wyckoff analysis via a CLI) is coherent, but exercise caution before installing or running commands it suggests: 1) Do not run the curl | bash one-liner unless you inspect the install.sh content in the GitHub repo and confirm the repo/author are trustworthy. 2) Prefer installing the package in an isolated environment (virtualenv, container) and inspect its code before running. 3) Be aware the CLI persists credentials to ~/.wyckoff/wyckoff.json and may auto-relogin; if you supply API keys or account passwords, consider using least-privilege keys or dedicated/test accounts. 4) Verify the pip package (youngcan-wyckoff-analysis) exists on PyPI and review its project homepage, code, and recent activity; absence of a homepage/source in the registry is a red flag. 5) If you need higher assurance, ask the publisher for the canonical repository, a vetted install artifact (PyPI release), and a copy of the install script for manual review — providing those would increase confidence and could move the assessment toward 'benign'.
功能分析
Type: OpenClaw Skill
Name: wyckoff-agent-skill
Version: 1.0.1
The skill bundle promotes high-risk environment setup procedures, including a 'curl | bash' one-liner and 'pip install' for a specific third-party package (youngcan-wyckoff-analysis) in SKILL.md and rules/cli-setup-guide.md. It explicitly guides users to provide sensitive credentials and API keys for financial data services (Tushare, TickFlow), which are stored in a local config file (~/.wyckoff/wyckoff.json). While the logic is consistent with its stated purpose as a trading assistant, the inclusion of a hardcoded affiliate referral link (tickflow.org/auth/register?ref=5N4NKTCPL4) and the reliance on external script execution from GitHub (raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh) present significant supply chain and RCE risks without clear evidence of intentional malice.
能力标签
能力评估
Purpose & Capability
Name/description (Wyckoff A-share CLI-based analysis) matches the instructions: install/initialize a wyckoff CLI, configure data sources (Tushare/TickFlow), set an LLM model provider, and run analysis. Required capabilities (time, web fetch, CSV/image parsing, plotting) are coherent with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs running CLI commands, performing online fetches, reading CSV/images, and persisting credentials. Those actions are relevant, but the instructions also direct the user/agent to run remote install commands and to persist login tokens automatically—operations that can write files and perform network auth without clarifying storage/encryption or verifying the install script contents.
Install Mechanism
The registry contains no formal install spec, but SKILL.md recommends 'pip install youngcan-wyckoff-analysis' and offers a one-line 'curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash'. Piping a remote raw script into bash is high risk unless the script and repository are vetted. The pip package and GitHub repo appear unverified/unknown in metadata (homepage/source unknown), increasing install risk.
Credentials
The skill expects users to configure service API keys (Tushare token, TickFlow API key) and model provider API keys (gemini/openai/claude). Those credentials are proportionate to the functionality. However, the skill does not declare env var requirements up front and documents that credentials are persisted to ~/.wyckoff/wyckoff.json and that automatic re-login can occur — this persistent local storage of secrets should be considered before installing.
Persistence & Privilege
always:false (no forced inclusion) and model invocation is allowed (normal). The skill's flow instructs storing tokens on disk and automatic re-login, which grants ongoing network/auth activity and persisted secrets on the host. Combined with the remote-install recommendation and unknown origin, this persistent behavior increases the blast radius if the installed CLI or its install script are malicious or compromised.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wyckoff-agent-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/wyckoff-agent-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Wyckoff-agent-skill 1.0.1
- Added comprehensive SKILL.md documentation detailing setup, onboarding, and operational workflows.
- Clarified two operating modes: guided setup (environment checks) and full Wyckoff-style analysis pipeline.
- Documented all input protocols, workflow steps (0–9), output contract, and hard technical constraints.
- Expanded support for both CLI portfolio management commands and multi-modal inputs (symbols, holdings, CSV, images).
- Included explicit data source fallback rules and capability degradation handling.
元数据
常见问题
Wyckoff Agent Skill 是什么?
Wyckoff A-share analysis agent with full CLI integration. Detects local CLI installation, guides users through setup (install → register → configure data sou... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 89 次。
如何安装 Wyckoff Agent Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wyckoff-agent-skill」即可一键安装,无需额外配置。
Wyckoff Agent Skill 是免费的吗?
是的,Wyckoff Agent Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Wyckoff Agent Skill 支持哪些平台?
Wyckoff Agent Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wyckoff Agent Skill?
由 YoungCan-Wang(@youngcan-wang)开发并维护,当前版本 v1.0.1。
推荐 Skills