功夫财经
v0.4.1Mainland China A-share stock and sector analysis tool (中国A股个股与板块分析). Current repo build focuses on stable deterministic products for stock snapshots, basic f...
⭐ 1· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description align with the included .mjs scripts and prompt assets. Required binary (node) and a single API credential (KUNGFU_OPENKEY) are appropriate for a local Node.js wrapper that calls the publisher's Tianshan API and public market-data endpoints (EastMoney/Tencent). Declared network endpoints match the described finance use cases.
Instruction Scope
The SKILL.md instructions are narrowly scoped to finance products and rendering flows. Notable runtime actions: reads host env vars, posts the KUNGFU_OPENKEY as a Bearer token to the publisher's tianshan-api host, writes SVG/PNG charts to ~/.openclaw/workspace/finance-master/charts/, and offers a config-openkey command that writes the key to ~/.openclaw/.env. These behaviors are documented in SKILL.md and consistent with the stated features, but the config write means the token may be persisted on disk.
Install Mechanism
No external download/install spec is used; the package contains bundled Node .mjs scripts and claims zero npm dependencies (bundled runtime). This is lower risk than remote downloads. Optional use of inkscape is local and invoked with execFileSync (no shell).
Credentials
Only one required secret env var (KUNGFU_OPENKEY) is declared and used for authenticating to the publisher's Tianshan API — this is proportionate to the stated purpose. There are additional optional env vars for an independent search provider (separate credential boundary), which are documented and gated by KUNGFU_ENABLE_RESEARCH_SEARCH. Caveat: the skill may persist KUNGFU_OPENKEY to ~/.openclaw/.env via config-openkey, so users should know the token will be stored on disk if they run that flow.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill writes only to its own workspace and a per-user .env file; it does not request system‑wide privileges or modify other skills' configs. Subprocess invocation (inkscape) is limited to fixed args for SVG→PNG conversion.
Assessment
This skill appears coherent with its description: it runs local Node scripts, calls the listed market-data hosts, and requires a single API key (KUNGFU_OPENKEY) to talk to the publisher's backend. Before installing or using it, consider:
- Trust the operator: KUNGFU_OPENKEY is sent to tianshan-api.kungfu-trader.com (the publisher) — only install if you trust that service and its handling of your token.
- Token persistence: the config-openkey command will write your key to ~/.openclaw/.env (plaintext). If you prefer not to persist the key, set KUNGFU_OPENKEY only in the process environment and avoid running the config write flow.
- Least privilege: treat KUNGFU_OPENKEY as a scoped API token; if possible, issue a key with limited scope and rotate it if you stop using the skill.
- Network hosts: the skill documents all outbound hosts (Tianshan, EastMoney, Tencent, ClawHub/Convex update checks). Review these if you have network policy concerns.
- Local files: charts are written to ~/.openclaw/workspace/finance-master/charts/; ensure you’re comfortable with that location and disk writes.
- Subprocess risk: inkscape is invoked with execFileSync and fixed arguments (no shell interpolation), which reduces injection risk; still audit if you plan to enable PNG conversion.
If you want higher assurance, review scripts/core/http_client.mjs and the run_config_openkey_flow/run_health_flow implementations referenced in SKILL.md to confirm exactly how the key is validated and written.Like a lobster shell, security has layers — review code before you run it.
latestvk975zpt4bzv0f719h44mekv4q9842qgb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvKUNGFU_OPENKEY
Primary envKUNGFU_OPENKEY