a-share-analysis
v1.0.0提供A股实时行情、技术指标、财务数据和市场情绪分析,生成详细的Markdown格式综合投资报告。
⭐ 0· 256·2 current·2 all-time
by@czf0718
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: there are many scripts for realtime quotes, technicals, fundamentals, sentiment, memory, and report generation which are coherent with an A‑share analysis tool. However the SKILL.md examples reference module names like fetch_technical_indicators.py and generate_report.py that do not exactly match the shipped filenames (e.g., fetch_technical_indicators_free.py, generate_report_pro.py, generate_report_detailed.py). That mismatch is unexpected and can cause runtime errors or indicate sloppy packaging.
Instruction Scope
The runtime instructions show importing and running local scripts (fetchers and report generators) which is appropriate, but the SKILL.md and documentation also reference operations that read/write user files (reports in ~/.openclaw/workspace and a-share-reports/, memory/ storage) and external authentication flows (Firecrawl auto-auth). SKILL.md does not clearly document what data is persisted or what exact external endpoints will receive data. There is also a discrepancy between the script names used in examples and the actual filenames, which widens the agent's discretion to choose different modules or fail over to other code paths.
Install Mechanism
No install spec or remote downloads are present in the registry metadata — the skill is delivered as code bundled with the skill files (no external installer URLs). That reduces supply‑chain download risk. Dependencies are Python scripts and documented pip packages (requests, reportlab) — installing those is expected for this kind of tool.
Credentials
Registry metadata declares no required env vars or credentials, but the included documentation and scripts reference third‑party services and credentials (FIRECRAWL_API_KEY, optional OpenAI API for memory/vector search, and Firecrawl browser authentication flow). Those are reasonable for optional features (news sentiment, vector memory), but they are NOT declared in requires.env. This omission is a mismatch: the skill can prompt for or attempt to use sensitive credentials that the metadata did not surface.
Persistence & Privilege
The skill writes reports and 'memory' records to disk (a-share-reports/, memory/ and ~/.openclaw paths) and includes an organize_reports.py script — this persistence aligns with its reporting purpose. always: false and normal autonomous invocation are set. The ability to store persistent analysis and history increases blast radius (if credentials or sensitive inputs end up in stored reports), so users should be aware of local data written by the skill.
What to consider before installing
This package mostly looks like a real A‑share analysis/report generator, but before installing or giving it access to your environment: 1) Review the code (or run in an isolated sandbox) — examples in SKILL.md reference filenames that don't exactly match the shipped scripts; that can cause unexpected behavior. 2) Expect the skill to write report and memory files under your home directory (a-share-reports/, memory/, and ~/.openclaw). If that's sensitive, run it in an isolated workspace. 3) The repo references external services (Firecrawl for news sentiment and OpenAI for vector search). Those require API keys (e.g., FIRECRAWL_API_KEY, OpenAI) but the registry did not declare them — only provide such keys if you trust what data will be sent. 4) If you plan to enable commercial/auto‑auth features, inspect firecrawl_auto_auth.py to confirm it only sets/uses local tokens and does not exfiltrate other credentials. 5) Ask the publisher to: declare required env vars in the skill metadata, fix mismatched example import names, and document exactly which external endpoints the skill calls. If you cannot get those assurances, test in a sandbox or decline to run with real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9778nb3kpaf26np66fbsqw02x82n081
License
MIT-0
Free to use, modify, and redistribute. No attribution required.