← 返回 Skills 市场

yf-stats

Name: yf-stats
Author: grayson85

作者 grayson85 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

322

总下载

当前安装

版本数

在 OpenClaw 中安装

/install yf-stats

功能描述

Fetches stock data and generates price charts.

安全使用建议

This skill appears to be what it says: it uses yfinance to fetch public market data and matplotlib to save a PNG chart. Before installing, be aware that: 1) installing requirements will pull packages from PyPI (check package versions/trust); 2) the script performs network calls to Yahoo Finance (ensure network policy/sandboxing is acceptable); 3) it writes chart files to the current working directory; and 4) no credentials are required or requested. If you want extra caution, run it in an isolated environment or inspect/ pin the package versions before installing.

功能分析

Type: OpenClaw Skill Name: yf-stats Version: 1.0.0 The skill contains a potential shell command injection vulnerability in SKILL.md, where the {{ticker}} parameter is substituted into a command string without quoting or sanitization. Additionally, yf_scraper.py is vulnerable to a minor path traversal flaw because it uses the unsanitized ticker input to construct the output filename for generated charts (plt.savefig). While these appear to be unintentional security flaws rather than intentional malware, they represent high-risk vulnerabilities that could be exploited to execute arbitrary commands or write files to unintended locations.

能力评估

✓ Purpose & Capability

Name/description match the included files: SKILL.md instructs running yf_scraper.py, requirements list yfinance/pandas/matplotlib, and the script fetches ticker.info/history and optionally saves a PNG chart — all expected for a 'yf-stats' charting tool.

✓ Instruction Scope

SKILL.md gives a narrow, specific runtime command (python3 yf_scraper.py {{ticker}} {{chart_flag}}) and the script only reads the ticker argument, calls yfinance, prints summary info, and optionally writes a chart file. There are no instructions to read unrelated files, environment variables, or send data to unfamiliar endpoints.

ℹ Install Mechanism

This is instruction-only (no install spec). A requirements.txt is provided for Python packages; installing those will pull from PyPI (yfinance, pandas, matplotlib). That is proportional to the task but installing third-party packages has normal supply-chain risk — nothing in the package list is surprising for this functionality.

✓ Credentials

The skill declares no required env vars or credentials and the script does not access secrets. It does require network access (yfinance queries Yahoo Finance) and writes a chart PNG to the working directory — both are reasonable for the stated purpose.

✓ Persistence & Privilege

always is false and the skill does not modify agent or system configuration or request persistent privileges. It only writes a local chart file when asked.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install yf-stats
安装完成后，直接呼叫该 Skill 的名称或使用 /yf-stats 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of yf-stats. - Fetches stock data using Yahoo Finance symbols. - Generates price charts when users request charts, graphs, or trends. - Simple command interface with support for visual output via a --chart flag.

元数据

Slug yf-stats

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题

yf-stats 是什么？

Fetches stock data and generates price charts. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 322 次。

如何安装 yf-stats？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yf-stats」即可一键安装，无需额外配置。

yf-stats 是免费的吗？

是的，yf-stats 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

yf-stats 支持哪些平台？

yf-stats 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 yf-stats？

由 grayson85（@grayson85）开发并维护，当前版本 v1.0.0。