Security checks across malware telemetry and agentic risk
The skill mostly matches its stock-report purpose, but it embeds API credentials and defaults Feishu delivery to a specific user ID that is not clearly disclosed.
Review carefully before installing. Replace or remove the embedded API keys, rotate them if they belong to you, set FEISHU_TARGET explicitly before running, and verify the qveris and mx_data dependencies separately. Only add the cron entry if you intentionally want ongoing weekday report generation and Feishu delivery.
"--card", card_json
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
if result.returncode == 0:
print(f"✅ 日报已发送到飞书")codes = list(INDEX_CODES.keys())
codes_str = ",".join(codes)
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes_str}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')-H "apikey:{MX_APIKEY}" \
-d '{{"toolQuery": "A股成交额 近5日"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
json_start = result.stdout.find('{')
if json_start < 0:codes_str = ",".join(codes)
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes_str}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')print("正在使用QVeris获取汇率...")
# 先discover获取discovery_id
discover_cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} discover "exchange rate" 2>&1'''
discover_result = subprocess.run(discover_cmd, shell=True, capture_output=True, text=True, timeout=30)
discover_output = discover_result.stdout
# 提取discovery_id# 调用API
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call alphavantage.currency_exchange_rate.retrieve.v1 --discovery-id "{discovery_id}" --params '{{"function":"CURRENCY_EXCHANGE_RATE","from_currency":"USD","to_currency":"CNY"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')# 恒生指数代码: HSI.HK,使用已有的discovery_id
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"HSI.HK"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')# QVeris 美债代码(需要测试)
codes = "TYX1" # CBOE 30年期国债期货
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')start_date = (today - timedelta(days=10)).strftime("%Y-%m-%d")
cmd = f'curl -s "https://fred.stlouisfed.org/graph/fredgraph.csv?id=DGS30&cosd={start_date}"'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
# 解析CSV数据# QVeris 美元指数代码需要测试
codes = "UDI" # 美元指数
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')-H "apikey:{MX_APIKEY}" \
-d '{{"toolQuery": "A股融资融券余额 最新"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
json_start = result.stdout.find('{')
if json_start >= 0:try:
print("正在使用mx_data获取涨跌家数...")
cmd = f'''export MX_APIKEY="{MX_APIKEY}" && curl -s -X POST 'https://mkapi2.dfcfs.com/finskillshub/api/claw/query' -H 'Content-Type: application/json' -H "apikey:$MX_APIKEY" -d '{{"toolQuery": "A股今日涨跌家数统计"}}' 2>&1'''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
# 解析JSON
json_start = result.stdout.find('{')# 方法2: QVeris
try:
cmd = f"export QVERIS_API_KEY=\"{QVERIS_API_KEY}\" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id \"{DISCOVERY_ID}\" --params '{{\"codes\":\"VIX.GI\"}}'"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')
json_start = None# 使用同花顺历史行情API获取最近2天成交额(包含北交所)
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.history_quotation.v1 --discovery-id "02e5c0f2-92fa-48ed-a5dd-7b6ed7930709" --params '{{"codes":"000001.SH,399001.SZ,899050.BJ","startdate":"{yesterday_date}","enddate":"{today_date}","indicators":"amount"}}' 2>&1'''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
# 解析JSON
lines = result.stdout.split('\n')today = datetime.now().strftime("%Y-%m-%d")
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.hk_connect_stats.v1 --discovery-id "06859631-618f-4e6e-92ae-adff07617d56" --params '{{"sdate":"{today}","edate":"{today}","lx":"ALL","bz":"HKD"}}' '''
exec_result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
# 解析JSON
lines = exec_result.stdout.split('\n')try:
print("正在使用mx_data获取主力资金流向...")
cmd = f'''export MX_APIKEY="{MX_APIKEY}" && ~/.openclaw/workspace/skills/mx_data/scripts/mx_data.sh "A股主力资金净流入" 2>&1'''
exec_result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
# 解析JSON响应
lines = exec_result.stdout.split('\n')for index_code, index_name in INDEX_CODES.items():
cmd = f'''export MX_APIKEY="{MX_APIKEY}" && ~/.openclaw/workspace/skills/mx_data/scripts/mx_data.sh "{index_name}行情" 2>&1'''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
lines = result.stdout.split('\n')
json_start = None# 遍历每个指数
for index_code, index_name in INDEX_CODES.items():
cmd = f'''export MX_APIKEY="{MX_APIKEY}" && ~/.openclaw/workspace/skills/mx_data/scripts/mx_data.sh "{index_name}行情" 2>&1'''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
lines = result.stdout.split('\n')
json_start = None-H "apikey:{MX_APIKEY}" \
-d '{{"toolQuery": "{name}估值"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
json_start = result.stdout.find('{')
if json_start >= 0:cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && node ~/.openclaw/skills/qveris/scripts/qveris_tool.mjs call ths_ifind.margin_trading.v1 --discovery-id "f9452019-4738-4383-8b63-89c184d26c72" --params '{{"scope":"market","sdate":"{query_date}","edate":"{query_date}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
json_start = result.stdout.find('{')
if json_start >= 0:"--card", card_json
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
if result.returncode == 0:
print(f"✅ 日报已发送到飞书")codes = list(INDEX_CODES.keys())
codes_str = ",".join(codes)
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes_str}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')-H "apikey:{MX_APIKEY}" \
-d '{{"toolQuery": "A股成交额 近5日"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
json_start = result.stdout.find('{')
if json_start < 0:codes_str = ",".join(codes)
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call ths_ifind.real_time_quotation.v1 --discovery-id "{DISCOVERY_ID}" --params '{{"codes":"{codes_str}"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')# 调用API
cmd = f'''export QVERIS_API_KEY="{QVERIS_API_KEY}" && cd /root/.openclaw/skills/qveris && node {QVERIS_TOOL} call alphavantage.currency_exchange_rate.retrieve.v1 --discovery-id "{discovery_id}" --params '{{"function":"CURRENCY_EXCHANGE_RATE","from_currency":"USD","to_currency":"CNY"}}' '''
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
output = result.stdout
lines = output.split('\n')65/65 vendors flagged this skill as clean.