📦 Stock Tools — 自选股管理

v1.0.6

一句话管理自选股清单，实时对话获取A股行情、涨跌幅与走势概览。

0· 339·0 当前·0 累计

by @daguniang

数据分析 API工具

下载技能包

最后更新

2026/4/8

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill is internally consistent with its description and uses only a public quote endpoint; it does not request secrets. However, the stock management CLI allows a --file override that can point at any path the process can access — which could be used to read or overwrite sensitive files if the agent is instructed to do so. Before installing, consider: (1) only enable this skill in a sandboxed agent environment where the agent process has limited filesystem access, (2) review and/or modify s...

详细分析 ▾

✓ 用途与能力

Name/description, SKILL.md, and included scripts align: fetch_quote.js queries the public Sina quote API and stock_tools.js manages a local watchlist file. No unrelated credentials, binaries, or external services are requested.

ℹ 指令范围

SKILL.md confines file storage to a workspace path (stocks-data/stocklist.txt) and instructs use of the included node scripts. The code implements exactly that. However, the stock_tools.js CLI accepts a --file argument permitting arbitrary file paths; the documentation does not warn about this override, which could be misused to access non-watchlist files.

✓ 安装机制

No install spec or external downloads. The skill is instruction-only with two bundled JS scripts — nothing is fetched at install time and no external packages are automatically installed.

✓ 凭证需求

No environment variables, credentials, or config paths are required. The network usage (https calls to hq.sinajs.cn) matches the stated purpose.

⚠ 持久化与权限

The skill writes to and reads from the filesystem (stocks-data/stocklist.txt) as intended. But because the CLI supports --file to point at arbitrary paths, an agent invoking this skill could read or overwrite arbitrary files that the skill process has access to. Although always:false, autonomous invocation plus this file-override capability raises risk of accidental or intentional data exposure.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.62026/3/27

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install stock-tools

镜像加速npx clawhub@latest install stock-tools --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库