ClawHub

A Stock Info

v1.2.0

基于qgdata API的A股分钟级数据查询服务。提供实时股价、分钟K线、分时数据等专业数据。

0· 621·4 current·5 all-time
by@listolany
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (A股分钟级数据 via qgdata) matches required binary (python3), required env var (QGDATA_TOKEN), and the provided script which calls qgdata APIs. Minor metadata mismatch: SKILL metadata lists version 1.2.0 while _meta.json contains 1.1.0 — likely a packaging/versioning oversight but not a functional security issue.
Instruction Scope
SKILL.md instructs installing qgdata and pandas, setting QGDATA_TOKEN (env or ~/.openclaw/.env), and running the included Python script. The script only reads QGDATA_TOKEN and the .env path shown in docs; it does not access other system files, credentials, or external endpoints beyond the qgdata client library.
Install Mechanism
No automated install spec; user-run pip install qgdata pandas is required per docs. Installing third‑party packages from PyPI is expected for this task but carries usual supply-chain risk — verify the qgdata package provenance and consider using a virtualenv or pinned package versions.
Credentials
Only a single API token (QGDATA_TOKEN) is requested, which is appropriate for a data-provider client. The script reads that token from env or ~/.openclaw/.env as documented; no unrelated secrets or config paths are requested.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges. It does not modify other skills or system-wide configs. Storing a token in ~/.openclaw/.env is a local persistence choice documented by the skill (user-visible).
Assessment
This skill appears to do exactly what it claims: call qgdata to fetch minute-level A-share data. Before installing and using it: 1) Keep QGDATA_TOKEN secret — do not commit it to repos; storing it in ~/.openclaw/.env is plaintext so restrict file permissions. 2) Install qgdata and pandas in a virtualenv, and verify the qgdata package source (PyPI project page or vendor docs) to reduce supply-chain risk. 3) Note the small metadata/version mismatch in the package and that the sample token in SKILL.md is an example — replace with your real token. 4) Be mindful of the API provider's rate limits and that network calls go to qgdata endpoints (the included script itself does not exfiltrate data elsewhere).

Like a lobster shell, security has layers — review code before you run it.

latestvk974nfe1842qxad9wkp8prc5d1825rca

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvQGDATA_TOKEN

Comments