← 返回 Skills 市场
156
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install xiapi-financial-roe-analysis
功能描述
基于大虾皮财报命令对上市公司进行ROE/杜邦财务分析。触发词:财务分析、ROE分析、杜邦分析、股票财务、盈利质量、净利润质量、财报分析、基本面分析、盈利能力、财务质量、现金流分析、资产负债分析、财务健康度、财务报告解读。适用场景:已提供股票代码,需要基于 `daxiapi report finance <code...
安全使用建议
This skill appears coherent for doing ROE/DuPont financial analysis and contains helpful templates and quality checks. Before installing or running it, consider: (1) The SKILL.md expects you to run 'npx daxiapi-cli' which will download and run code from the npm registry at runtime — if you prefer, install the CLI locally and audit it beforehand instead of using npx. (2) The instructions require a DAXIAPI token (DAXIAPI_TOKEN or via 'daxiapi config set token'), but the skill metadata does not declare that requirement — confirm you are comfortable providing that token and ensure you obtain it from the legitimate daxiapi.com site. (3) The skill may instruct the agent to fetch PDFs from cninfo (www.cninfo.com.cn); ensure those network accesses are acceptable in your environment. (4) Because this is instruction-only (no shipped code), the static scanner had nothing to analyze — review or audit the external CLI package (daxiapi-cli) if you want to reduce supply-chain risk. If you need lower risk: prefer installing a vetted local CLI binary, or require the user to paste verified financial data instead of allowing the skill to fetch it automatically.
功能分析
Type: OpenClaw Skill
Name: xiapi-financial-roe-analysis
Version: 1.0.3
The skill bundle facilitates financial analysis by instructing the AI agent to execute shell commands using 'npx daxiapi-cli@latest' (SKILL.md). This introduces several high-risk behaviors: it handles sensitive API tokens via shell configuration commands, uses unpinned remote package execution which is vulnerable to supply chain attacks, and passes user-provided stock codes directly into shell commands, creating a potential shell injection surface. While these capabilities are aligned with the stated purpose of financial reporting, the inherent risks of shell execution and token management without explicit sanitization or version pinning meet the criteria for a suspicious classification.
能力评估
Purpose & Capability
The name/description align with the runtime instructions: the skill fetches structured financial data via the daxiapi CLI and performs ROE/DuPont analysis using the included reference templates and rules. There are no unrelated binaries or credentials requested in the metadata, and the referenced external sources (daxiapi and cninfo) are appropriate for the stated task.
Instruction Scope
SKILL.md confines actions to: running the daxiapi CLI (npx daxiapi-cli report finance <code> or local daxiapi), optionally downloading/reading PDF disclosures from cninfo, and producing structured reports. It explicitly forbids fabricating data and requires user consent before proceeding when data is missing. Note: runtime instructions include commands (npx) that will fetch and execute code from npm and ask the agent to access external websites and PDFs — expected for this use case but introduces normal network/execution risk.
Install Mechanism
There is no install spec in the package (instruction-only). However, the runtime workflow relies on 'npx daxiapi-cli@latest' which will download and execute a package from the public npm registry at runtime. This is expected for a CLI-driven skill, but it means code will be pulled from the network when invoked rather than being shipped with the skill.
Credentials
The metadata declares no required environment variables, yet the SKILL.md clearly instructs acquiring/configuring a DAXIAPI token (via npx config set token or export DAXIAPI_TOKEN). This is a transparency mismatch: the skill will function only if a third‑party API token is provided, but that credential requirement is not declared in the skill metadata. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistence. It does not modify other skills or system-wide configs in the instructions. Autonomous invocation is allowed (platform default) but there are no additional privilege escalations requested by the skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiapi-financial-roe-analysis - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiapi-financial-roe-analysis触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- No file changes detected; behavior and logic unchanged.
- Version bump only; documentation and functionality remain the same.
- Users do not need to adjust usage or implementation for this version.
v1.0.2
- No user-facing changes in this version.
- No files were added, removed, or modified.
v1.0.1
**Version 1.0.1 – Enhanced industry distinction, field clarity, and error handling**
- 新增 references/cli-commands.md 说明文件,明确命令和数据字段说明引用入口。
- 扩充与细化“触发词”和“适用场景”,支持更多财务分析相关场景和关键词。
- 新增行业自动识别与对应分析框架选择流程,防止错误套用杜邦公式(如金融行业)。
- 巨潮资讯 PDF 核验流程升级为自动“降级”模式,无需用户互动,提升体验。
- 明确 WACC/EVA 分析条件,禁止随意假定 WACC,杜绝数据编造。
- 补充报告格式规范、降级原因标注规则及常见错误处理场景。
v1.0.0
Initial release of xiapi-financial-roe-analysis: provides equity ROE and DuPont framework financial analysis for listed companies.
- Supports ROE拆解、盈利质量评估、资产效率和杠杆风险系统分析
- 基于大虾皮财报命令获取公司结构化财报数据,结合巨潮资讯PDF进行双向核验
- 明确流程分为数据获取、数据核验、财报拆解分析、结构化报告输出
- 强调只做已知数据分析,未覆盖字段和行业对标必须明确标注
- 输出遵循统一报告模板,包含结论摘要、数据核验、风险提示与数据边界说明
- 明确禁止投资建议、股价预测及补造缺失数据
元数据
常见问题
虾皮财务分析大师 是什么?
基于大虾皮财报命令对上市公司进行ROE/杜邦财务分析。触发词:财务分析、ROE分析、杜邦分析、股票财务、盈利质量、净利润质量、财报分析、基本面分析、盈利能力、财务质量、现金流分析、资产负债分析、财务健康度、财务报告解读。适用场景:已提供股票代码,需要基于 `daxiapi report finance <code... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 156 次。
如何安装 虾皮财务分析大师?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiapi-financial-roe-analysis」即可一键安装,无需额外配置。
虾皮财务分析大师 是免费的吗?
是的,虾皮财务分析大师 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
虾皮财务分析大师 支持哪些平台?
虾皮财务分析大师 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 虾皮财务分析大师?
由 三水清(@ksky521)开发并维护,当前版本 v1.0.3。
推荐 Skills