ClawHub

openpd

v1.0.0

每日开盘分析 Skill - 每个交易日自动推送 WTI 原油和黄金的开盘预测报告 **功能特性:** - 5:00 自动收集实时价格数据 - 5:30 分析信息面并推送到飞书 - 表格格式展示:品种、收盘价、开盘预测、置信度 - 基于隔夜新闻的利好/利空分析 **数据源:** - 价格数据:CommodityP...

0· 139·0 current·0 all-time
by@linshengyyy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code: scripts fetch commodity prices and news, analyze, and push reports. Declared dependencies (python3, requests) and files (commodity_price.py, config.py, main.py, install_cron.py) are appropriate. Minor mismatch: 'curl' is listed as a required binary but I did not find usages of curl in the provided code.
Instruction Scope
SKILL.md and code instruct the agent/user to add API keys, run the installer, and create cron entries. The runtime instructions and code only access the configured APIs, skill files, and the user's crontab/workspace directories; they do not attempt to read unrelated system secrets or system files outside the stated scope.
Install Mechanism
This is an instruction-and-code skill (no external download install). install_cron.py edits the user's crontab via standard crontab commands and writes to /tmp for installation — expected. No suspicious remote download or archive extraction was found.
Credentials
The skill requests no environment variables but requires the user to supply two API keys (CommodityPriceAPI and 东方财富妙想) which are written as plaintext into local Python files. That is coherent with the functionality but has privacy implications: keys are stored in files under ~/.openclaw/skills/... rather than using a secret store or env vars.
Persistence & Privilege
The installer modifies the user's crontab to add recurring jobs (5:00 collect, 5:30 analyze) and writes config files under the user's skill directory — this is expected for a scheduled-report skill. always:true is not set. The cron modification is a persistent change and should be noted, but it only affects the user's crontab.
Assessment
What to consider before installing: - Cron changes: the installer will add two cron jobs to your user crontab. Back up your crontab (crontab -l > backup.txt) before installing if you need to preserve existing entries. - API keys: you'll be prompted to paste two API keys; they will be written in plaintext into commodity_price.py and config.py under ~/.openclaw/skills/market-open-analysis/. If you prefer not to store keys in files, adapt the code to read from environment variables or a secret store. - Endpoints: the skill calls api.commoditypriceapi.com and mkapi2.dfcfs.com (the documented news API). Only enable the skill if you trust those services and the keys you provide. - Permissions: the installer invokes crontab and systemctl (to check cron). Run the installer only in an environment you control (not on sensitive production machines) and review the code if you have concerns. - Minimal oddities: 'curl' is listed as a required binary but not used in the provided code; this is a minor inconsistency but not a security issue. If you want extra safety, review the push implementation (feishu/telegram/discord code paths) in main.py before supplying real keys, and consider running the skill in a restricted account or VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk971qaer1mtrnrkw8sqt9fkc7s833w5e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌅 Clawdis
Binspython3, curl

Comments