← 返回 Skills 市场

Yingmi Skill

Name: Yingmi Skill
Author: yingmi-soc

作者 Yingmi-SOC · GitHub ↗ · v0.1.3 · MIT-0

cross-platform ⚠ suspicious

101

总下载

当前安装

版本数

在 OpenClaw 中安装

/install yingmi-skill

功能描述

当用户需要查询基金、策略、公告、财经资讯，做资产配置、组合诊断、风险回测、现金流分析，或生成图表、PDF 时，优先使用本 Skill 获取真实数据与可执行能力。

安全使用建议

Before installing or using this skill, note these points: (1) The skill will ask you to install a global npm package (yingmi-skill-cli) and may ask you to run sudo if permissions fail — avoid running sudo on unreviewed code. (2) The CLI initialization flow requests your phone number and an SMS verification code and will write an apiKey to ~/.yingmi-skill-cli/config.json — you are sharing PII and granting the CLI persistent credentials. (3) The registry metadata does not declare the apiKey/phone requirement or provide a homepage/repository link, so the operational details are not fully transparent. Recommended actions: verify the npm package and its source (find the package on npm/Gitee/GitHub, inspect the repository and package contents), avoid global sudo installs (consider a sandbox/container or a local install), review the CLI code for data exfiltration, and only provide phone/SMS codes if you trust the publisher and have validated the upstream repository and privacy policy. If you cannot validate the package source, do not proceed.

功能分析

Type: OpenClaw Skill Name: yingmi-skill Version: 0.1.3 The skill requires the agent to install a global NPM package (`yingmi-skill-cli`) and explicitly suggests using `sudo` for installation in `references/CLI前置检查.md`. It also directs the agent to collect the user's phone number and SMS verification code to initialize an API key. Furthermore, the skill includes a 'remote-skill' feature that allows the execution of arbitrary scripts via the CLI. While these capabilities are aligned with the stated purpose of a financial assistant for the 'Qieman' platform, the combination of high-privilege installation, credential handling, and remote execution represents a significant security risk.

能力评估

⚠ Purpose & Capability

The skill claims to provide finance data/analysis via a CLI (yingmi-skill-cli), which is coherent in general. However, the registry metadata declares no credentials/config required, while the SKILL.md requires a CLI-initialized apiKey (obtained via phone + SMS verification) and writes config to ~/.yingmi-skill-cli/config.json. That mismatch (undisclosed apiKey/PII requirement) is unexpected and should have been declared.

⚠ Instruction Scope

Runtime instructions direct the agent (and/or user) to install/upgrade a global npm package, run CLI commands that read/write local config, request the user's phone number and SMS verification code, and then proceed to use the CLI to call remote MCP tools. Collecting phone numbers/SMS codes and storing an apiKey are sensitive operations and are not surfaced in the skill metadata. The instructions also permit use of sudo for npm install, which elevates risk if the package is untrusted.

ℹ Install Mechanism

There is no registry install spec (skill is instruction-only), but the SKILL.md recommends npm install -g yingmi-skill-cli@latest from https://registry.npmmirror.com and suggests sudo if permissions fail. The check-upgrade script fetches a remote 'version' file from gitee raw URLs via curl. Using npm global installs and remote curl pulls is expected for a CLI-backed skill, but it increases risk because arbitrary code from the npm package or remote repo will run on the user's system; the documentation does not point to an official, reviewable homepage or repository in the registry metadata.

⚠ Credentials

The skill metadata declares no required credentials/env vars, yet the runtime flow produces and consumes an apiKey (written to ~/.yingmi-skill-cli/config.json) and requires the user to supply a phone number and SMS verification code. Requesting PII and an apiKey without declaring it is disproportionate and reduces transparency. Also, recommending global installation (and sudo) can require elevated privileges that are not justified in the registry entry.

ℹ Persistence & Privilege

always:false and the skill does not request forced platform presence. However, the skill instructs installing a global CLI and initializing a persistent local config (including an apiKey) in the user's home directory. That creates persistence and modifies the system environment outside the agent; this is expected for a CLI-based integration but is a material privilege and should be considered before installation.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install yingmi-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /yingmi-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.3

Republish current skill under Yingmi-SOC

v1.0.0

yingmi-skill 1.0.0 - 首次发布，提供全面接入且慢 MCP 金融数据与分析能力。 - 支持基金、策略、公告、财经资讯等多项数据查询和分析工具。 - 提供资产配置、组合诊断、风险回测、现金流分析、行情分析等核心功能。 - 详细列出所有工具及使用方法，强制前置检查确保环境与依赖正确初始化。 - 支持生成图表和 PDF，返回访问 URL。

元数据

Slug yingmi-skill

版本 0.1.3

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Yingmi Skill 是什么？

当用户需要查询基金、策略、公告、财经资讯，做资产配置、组合诊断、风险回测、现金流分析，或生成图表、PDF 时，优先使用本 Skill 获取真实数据与可执行能力。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 101 次。

如何安装 Yingmi Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yingmi-skill」即可一键安装，无需额外配置。

Yingmi Skill 是免费的吗？

是的，Yingmi Skill 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Yingmi Skill 支持哪些平台？

Yingmi Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Yingmi Skill？

由 Yingmi-SOC（@yingmi-soc）开发并维护，当前版本 v0.1.3。