有色小钻风 Metal Price Daily
Daily non-ferrous metals briefing for AI agents. Collects real-time base metals prices (Cu/Zn/Al/Ni/Co/Bi) from Yahoo Finance, CCMN 長江有色, and SMM, aggregates...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 39 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md, README and the scripts are coherent: they collect prices/news and produce a Telegram briefing. However the registry metadata claims no required env vars while the shipped scripts clearly expect TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID in a .env file — this mismatch is unexplained and worth correcting.
Instruction Scope
The runtime instructions and scripts stay within the stated purpose: HTTP fetches to public data sources, parsing, formatting, and sending to Telegram. The code reads a local .env file and runs the bundled node scripts (via execFile) — actions are scoped to the repository and remote public web endpoints. No instructions perform unrelated system-wide reads or unexpected external uploads.
Install Mechanism
There is no install spec and no external packages are pulled; the project runs as plain Node.js scripts. This is a lower-risk install model. The files are not obfuscated and fetch targets are public websites (Yahoo, CCMN, SMM, Stooq, RSS feeds).
Credentials
The code requires Telegram credentials (TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID) but the registry metadata lists no required env vars, creating an incoherence. The scripts parse the entire .env file from project root — if you put other secrets in that .env they will be read into memory (though not obviously exfiltrated). README mentions optional API keys (METAL_PRICE_API_KEY, ALPHA_VANTAGE_KEY) which are not used; this is confusing but not immediately harmful.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It can be invoked autonomously (platform default), which increases blast radius but is normal for skills; combine that with the env mismatch when deciding trust.
What to consider before installing
What to check before installing or running:
- The code requires a Telegram bot token and chat ID (set in a .env file). The registry metadata incorrectly lists no required env vars — confirm you will provide only a dedicated Telegram bot token and not put other secrets in .env.
- Inspect .env before running. Because the scripts parse the entire .env file in project root, do not place unrelated credentials or secrets there.
- Review the repository code yourself (already included). The scripts fetch many public web pages and send the resulting report to Telegram; ensure you trust the destination chat_id and bot.
- Run the skill in a limited environment (container or low-privilege account) first to observe network behavior and logs.
- If you plan to allow autonomous invocation, consider the increased risk: the skill will periodically fetch external data and post to Telegram without further prompts. If you need stronger assurance, ask the publisher to correct the registry metadata to declare TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID as required env vars and to explain any optional API keys.scripts/daily-report.mjs:6
File read combined with network send (possible exfiltration).
scripts/fetch-prices.mjs:7
File read combined with network send (possible exfiltration).
scripts/send-telegram.mjs:13
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
有色小鑽風 · Metal Price Daily 🦞📊
AI-driven non-ferrous metals daily briefing — data collection + professional analyst report via Telegram.
每日 14:00 CST(上午盤收盤後)自動採集有色金屬行情,由 AI 生成專業交易員級分析簡報並推送到 Telegram。零付費 API,開箱即用。
Features
- 📊 多源價格聚合 — Yahoo Finance (USD)、CCMN 長江有色 (CNY)、SMM 上海有色
- 📰 新聞 + 市場情緒 — Google News RSS(中英文)、SMM 快訊、Reddit r/Commodities
- 🏦 投行信號過濾 — 自動過濾高盛/摩根大通/花旗的有色金屬研究報告
- 📈 技術面分析 — 遠期曲線(spot/+2M/+6M)、基差、正/反向市場判斷
- 🔮 四維交叉推理 — 技術面 × 基本面 × 市場情緒 × 宏觀,含置信度評分
- 🔥 異動偵測 — Reddit hot vs top 榜分歧,捕捉突發熱點
- 🚫 零付費 API — 全部免費數據源,無需任何 API key
Metals Covered
| Metal | USD | CNY |
|---|---|---|
| Copper (Cu) | Yahoo HG=F ✅ | CCMN ✅ + SMM ✅ |
| Zinc (Zn) | — | CCMN ✅ + SMM ✅ |
| Aluminum (Al) | Yahoo ALI=F ✅ | — |
| Nickel (Ni) | — | CCMN ✅ + SMM ✅ |
| Cobalt (Co) | — | CCMN ✅ |
| Bismuth (Bi) | SMM $15,600/t ✅ | SMM ¥163,000/t ✅ |
Quick Start
git clone https://github.com/RAMBOXIE/metal-price.git
cd metal-price
cp .env.example .env # 填入 TELEGRAM_BOT_TOKEN + TELEGRAM_CHAT_ID
node scripts/fetch-all-data.mjs # 採集數據(~2s)
Environment Variables
TELEGRAM_BOT_TOKEN= # 必填:Telegram Bot Token
TELEGRAM_CHAT_ID= # 必填:目標群組/頻道 ID
Key Scripts
| Script | Description |
|---|---|
scripts/fetch-all-data.mjs | 主數據採集腳本,~2s 完成,輸出 JSON |
scripts/daily-report.mjs | 完整日報流程(採集 + AI 分析 + 發送) |
scripts/send-telegram.mjs | Telegram 發送工具(支持管道輸入) |
Agent Integration (OpenClaw Cron)
在 OpenClaw 中設置每日 14:00 定時任務:
{
"schedule": { "kind": "cron", "expr": "0 14 * * *", "tz": "Asia/Shanghai" },
"payload": {
"kind": "agentTurn",
"message": "Run node D:\\Projects\\metal-price\\scripts\\fetch-all-data.mjs, analyze the JSON output, and send a professional metals trading brief to Telegram.",
"timeoutSeconds": 90
}
}
Data Sources Status
| Source | Status |
|---|---|
| Yahoo Finance (HG=F / ALI=F) | ✅ Free |
| CCMN 長江有色 | ✅ Free |
| SMM 上海有色 (hq.smm.cn/h5) | ✅ Free, no login |
| Reddit r/Commodities | ✅ JSON API |
| Google News RSS | ✅ Free |
| LME official | ❌ Cloudflare 403 (returns null) |
License
MIT · GitHub
Files
8 totalSelect a file
Select a file to preview.
Comments
Loading comments…