← 返回 Skills 市场
yahoo-finance-bist
作者
Niyazi Sönmez
· GitHub ↗
· v1.0.0
410
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yahoo-finance-bist
功能描述
Yahoo Finance API tabanlı tarihsel veri analizi, algoritmik teknik indikatör skoru (RSI, MACD, Stoch, SMA), Excel geçmiş veri dışa aktarma, portföy alarm tak...
安全使用建议
What to consider before installing:
- The code provided implements the advertised Yahoo Finance features and does not request credentials, but SKILL.md forces the agent to run local scripts and only return their output (no model reasoning shown). That pattern is unusual because it makes the agent a blind conduit for script outputs — verify you trust the included scripts.
- Review the included Python files yourself (they are bundled) and confirm they do only what you expect: fetch Yahoo endpoints, compute indicators, and write CSV/HTML in the skill folder. They do not contact other external domains or read arbitrary system files.
- Confirm the exec paths in SKILL.md (/home/node/.openclaw/skills/yahoo_portfoy_analiz/...) match where the skill will be installed. If not, the agent may fail to run or attempt to execute different code.
- Because scripts write files and can create many CSVs, run the skill in a sandboxed environment or with limited filesystem/network permissions if possible.
- If you plan to allow autonomous agents to use this skill, consider disabling autonomous invocation or requiring explicit user confirmation before running any scripts, so the agent cannot silently execute code on keyword matches.
- If you need higher assurance, ask the publisher for a signed release or run the scripts manually in a controlled environment to validate outputs before allowing automatic execution.
功能分析
Type: OpenClaw Skill
Name: yahoo-finance-bist
Version: 1.0.0
The skill bundle is classified as suspicious due to two significant vulnerabilities. The `investing_excel_exporter.py` script is vulnerable to path traversal, allowing an attacker to write CSV files to arbitrary locations on the filesystem by crafting the `symbol` argument. Additionally, the `investing_trade_logger.py` script is vulnerable to Stored Cross-Site Scripting (XSS) in its generated HTML report (`Nikos_Portfoy_Analiz.html`), as user-controlled `symbol` and `name` values are embedded directly into JavaScript arrays and HTML without proper escaping. While the `SKILL.md` uses prompt injection techniques to control the AI agent's behavior, its intent appears to be to enforce factual data reporting rather than malicious action. All network calls are legitimately directed to Yahoo Finance API.
能力评估
Purpose & Capability
Name/description, the four Python scripts, and included data files all implement Yahoo Finance historical data fetch, indicator calculation (RSI, MACD, Stoch, SMA), CSV/Excel export, portfolio alerts and trade logging — consistent with the stated purpose.
Instruction Scope
SKILL.md mandates the agent must run specific exec commands (absolute paths) for user queries, announce 'script is running', then read and relay ONLY the script output and must not use any internal knowledge. This enforces blind execution of local code and suppresses model reasoning/transparency. Although the included scripts appear to access only Yahoo Finance and local files, the enforced output-only workflow increases risk (it can hide what the agent did) and is unusual. The SKILL.md also uses absolute paths (/home/node/.openclaw/skills/...), which may not match the deployment location of the provided files — an operational inconsistency.
Install Mechanism
No install spec / no external downloads. All source files are included in the skill bundle (no network install step), so there's no remote installer or archive to fetch.
Credentials
The skill requires no environment variables or credentials; scripts call only Yahoo Finance public endpoints and read/write files under the skill directory. The requested access (network to Yahoo, local file read/write) is proportionate to the described features.
Persistence & Privilege
always:false and user-invocable:true. The scripts create and manage local files (trade_history.json, portfolio_alerts.json, CSVs under symbol_data/) and will remove old CSVs if many accumulate. The skill does not request system-wide config or other skills' credentials. Be aware the platform default allows autonomous invocation (disable-model-invocation:false); combined with the SKILL.md requirement to auto-exec scripts on matching keywords, this increases blast radius if the agent is permitted to act autonomously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yahoo-finance-bist - 安装完成后,直接呼叫该 Skill 的名称或使用
/yahoo-finance-bist触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- İlk sürüm: yahoo-finance-advisor yeteneği eklendi.
- Gerçek zamanlı veri, teknik indikatör skoru (RSI, MACD, Stoch, SMA), geçmiş veri excel dışa aktarımı, portföy alarm ve işlem loglama desteği getirildi.
- BIST (.IS), ABD, kripto, emtia ve parite sembollerine destek sağlandı.
- Kullanıcıdan gelen anahtar kelimelerle akıllı tetikleyici sistem entegre edildi.
- FlareSolverr gerektirmeden doğrudan Yahoo Finance API ile çalışır.
元数据
常见问题
yahoo-finance-bist 是什么?
Yahoo Finance API tabanlı tarihsel veri analizi, algoritmik teknik indikatör skoru (RSI, MACD, Stoch, SMA), Excel geçmiş veri dışa aktarma, portföy alarm tak... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 410 次。
如何安装 yahoo-finance-bist?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yahoo-finance-bist」即可一键安装,无需额外配置。
yahoo-finance-bist 是免费的吗?
是的,yahoo-finance-bist 完全免费(开源免费),可自由下载、安装和使用。
yahoo-finance-bist 支持哪些平台?
yahoo-finance-bist 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 yahoo-finance-bist?
由 Niyazi Sönmez(@nikolayco)开发并维护,当前版本 v1.0.0。
推荐 Skills