功夫财经

The skill's code, runtime instructions, network hosts, and required credential (KUNGFU_OPENKEY) are consistent with a mainland China A‑share analysis tool; nothing in the bundle appears to perform unrelated or hidden actions, but it does store and send your single API token to the publisher's backend and writes chart files to your home workspace.

This skill appears coherent with its description: it runs local Node scripts, calls the listed market-data hosts, and requires a single API key (KUNGFU_OPENKEY) to talk to the publisher's backend. Before installing or using it, consider: - Trust the operator: KUNGFU_OPENKEY is sent to tianshan-api.kungfu-trader.com (the publisher) — only install if you trust that service and its handling of your token. - Token persistence: the config-openkey command will write your key to ~/.openclaw/.env (plaintext). If you prefer not to persist the key, set KUNGFU_OPENKEY only in the process environment and avoid running the config write flow. - Least privilege: treat KUNGFU_OPENKEY as a scoped API token; if possible, issue a key with limited scope and rotate it if you stop using the skill. - Network hosts: the skill documents all outbound hosts (Tianshan, EastMoney, Tencent, ClawHub/Convex update checks). Review these if you have network policy concerns. - Local files: charts are written to ~/.openclaw/workspace/finance-master/charts/; ensure you’re comfortable with that location and disk writes. - Subprocess risk: inkscape is invoked with execFileSync and fixed arguments (no shell interpolation), which reduces injection risk; still audit if you plan to enable PNG conversion. If you want higher assurance, review scripts/core/http_client.mjs and the run_config_openkey_flow/run_health_flow implementations referenced in SKILL.md to confirm exactly how the key is validated and written.