← 返回 Skills 市场
Tianji Data
作者
horizoncove
· GitHub ↗
· v1.0.0
· MIT-0
75
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yuheng-tianji-data
功能描述
| 优先级 | 数据源 | 方式 | 延迟 | 覆盖品种 |。触发词:搜索, search, skill, 优化, 数据, data。
安全使用建议
This skill appears to implement market data scraping and alerting, which matches its description, but exercise caution before installing:
- Inspect and control outbound messaging: market_watcher.push_to_feishu sends messages via an external messaging tool to a hardcoded Feishu user id (ou_...). Confirm who owns that account and whether you want alerts sent there. The skill does not declare any Feishu/token env vars — it relies on existing workspace tooling/credentials.
- Command-injection risk: push_to_feishu embeds the alert text directly into a python -c string without escaping; a crafted alert could break that string and execute arbitrary code. Prefer modifying the code to call a local function/module directly, pass the message as a safely-escaped argument (or via stdin), or use subprocess with an argument list referencing a script file rather than an interpolated -c string.
- Data exposure: collected snapshots and alerts are written under /workspace/data/tianji-system. If that workspace is shared or backed up, sensitive data could leak. Restrict access or change the storage path if necessary.
- Dependencies on external tooling: the code dynamically imports message_tool and tools.message which are not part of the skill. Audit those modules (where they live in your environment) to see how they deliver messages and where credentials are stored.
- Testing recommendation: run the skill in a restricted/sandboxed environment first (no credentials, no messaging tooling) to verify behavior, and consider removing or stubbing the push_to_feishu function until you verify the target and escape handling.
If you need, I can produce a safe patch for push_to_feishu (escape the message, remove hardcoded target, or provide a safer API) or list the exact locations to change.
功能分析
Type: OpenClaw Skill
Name: yuheng-tianji-data
Version: 1.0.0
The skill bundle is designed for financial market data collection and monitoring, fetching data from Tencent and Sina APIs. It contains a critical code injection vulnerability in 'market_watcher.py' within the 'push_to_feishu' function, which uses 'subprocess.run' to execute a Python snippet containing an unsanitized 'alert_msg' string. Additionally, it includes a hardcoded Feishu recipient ID ('user:ou_fd61d5ebc9af22913aa4c21c8e3cac14') for alerts. While these represent significant security risks and poor coding practices, they appear to be unintentional vulnerabilities rather than clear evidence of malicious intent.
能力评估
Purpose & Capability
Name/description and code align: the Python modules fetch market data from public endpoints (qt.gtimg.cn, hq.sinajs.cn) and produce snapshots/alerts. The SKILL.md and code consistently target market data collection and alerting. Minor inconsistency: SKILL.md mentions helper actions like extract_content_from_websites and batch_web_search that are not provided as named functions in the shipped modules (the code uses its own _fetch/get_* functions).
Instruction Scope
Instructions and code instruct storing data under /workspace/data/tianji-system (expected for a data-scraper). However, market_watcher.py contains push_to_feishu which constructs a subprocess call that invokes tools.message with a hardcoded Feishu user id. That causes the skill to potentially send alerts (and therefore data) out of the agent environment to an external account without any explicit credential declaration in the skill metadata. The SKILL.md does not document this messaging behavior or the external target.
Install Mechanism
No install spec — instruction-only plus included Python files. No downloaded/extracted third-party artifacts or unusual install behavior were found.
Credentials
The skill declares no required env vars or credentials, yet the code attempts to call an external messaging tool (tools.message / message_tool) that presumably relies on platform or workspace credentials. The absence of declared credential requirements hides the fact that alerts may be sent using pre-existing messaging credentials. Also push_to_feishu uses a hardcoded target user id, which may leak data to an unknown external recipient.
Persistence & Privilege
The skill writes data and logs to /workspace/data/tianji-system and uses /tmp/tianji_prev_state.json for state — reasonable for a data collector. always:false (no forced persistence). It does not attempt to modify other skills or system-wide config. Creating files in the workspace is expected but means collected data will persist in the agent environment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yuheng-tianji-data - 安装完成后,直接呼叫该 Skill 的名称或使用
/yuheng-tianji-data触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of tianji-data.
- Provides prioritized, free multi-source financial and commodity data collection.
- Includes code samples and interface usage for real-time A-shares, commodities, Hong Kong indices, and QDII ETFs.
- Standardizes data format and storage; documents storage paths.
- Details data collection, quality, and error handling protocols.
- Lists supported collection keywords and supported sources.
元数据
常见问题
Tianji Data 是什么?
| 优先级 | 数据源 | 方式 | 延迟 | 覆盖品种 |。触发词:搜索, search, skill, 优化, 数据, data。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 Tianji Data?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yuheng-tianji-data」即可一键安装,无需额外配置。
Tianji Data 是免费的吗?
是的,Tianji Data 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tianji Data 支持哪些平台?
Tianji Data 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tianji Data?
由 horizoncove(@horizoncove)开发并维护,当前版本 v1.0.0。
推荐 Skills