Stock Monitor Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stock-alert purpose, but it should be reviewed because alert delivery can run an unreviewed neighboring Feishu voice script while using messaging/API credentials.
Install only if you are comfortable providing Feishu and Noiz credentials and sending stock alert details to those services. Before enabling cron, inspect the full monitor.sh file and the neighboring feishu-edge-tts send_voice.sh helper, because that helper is not included in the reviewed package.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When a stock alert fires, code from another directory could run with the same environment, including Feishu and Noiz credentials.
At alert time, the skill can execute a sibling helper script outside the reviewed file manifest. That helper's provenance, version, and credential handling are not visible in this package.
if [ -d "$BASE_DIR/../feishu-edge-tts/scripts" ]; then
bash "$BASE_DIR/../feishu-edge-tts/scripts/send_voice.sh" -t "$message" --no-send falseBefore enabling alerts or cron, review the feishu-edge-tts send_voice.sh script. The skill author should declare and pin this dependency, include the helper code, or require explicit user confirmation before invoking it.
If these credentials are exposed or over-scoped, someone could misuse the configured Feishu app or Noiz account.
The skill requires Feishu app credentials, a chat ID, and a Noiz API key to send voice alerts. This is expected for the stated integration, but these are sensitive account-level secrets.
export FEISHU_APP_ID="cli_xxx" export FEISHU_APP_SECRET="xxx" export FEISHU_CHAT_ID="oc_xxx" export NOIZ_API_KEY="xxx"
Use a dedicated, least-privilege Feishu app/chat and a dedicated Noiz key. Avoid putting secrets in shared shell history or logs, and rotate them if exposed.
Your monitored stock names, prices, and alert conditions may be shared with the configured Feishu chat and voice/TTS provider.
The alert workflow sends stock alert content to Feishu voice messaging, and the documented Noiz API key suggests text-to-speech provider involvement. This is purpose-aligned, but it means watchlist/alert details may leave the local machine.
突破阈值自动发飞书语音条
Only monitor information you are comfortable sending to those providers, and verify the destination chat before running the monitor.
The monitor can keep running and sending alerts until the cron entry is removed.
The package documents a recurring cron job that keeps the monitor running periodically. This is disclosed and aligned with automatic stock monitoring, but it is persistent.
*/5 9-11,13-15 * * 1-5 bash /root/.openclaw/workspace/skills/stock-monitor-skill/scripts/monitor.sh >> /tmp/stock_monitor.log 2>&1
Add the cron job only if you want continuous monitoring, run it under a minimally privileged account where possible, and know how to remove or disable it.