ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

对上市公司进行系统性投资价值分析,支持 A 股、港股、美股

对上市公司进行系统性投资价值分析,支持 A 股、港股、美股

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
by@newhackerman
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (systematic investment analysis for A/H/US stocks) match the included scripts and templates: data fetching (multiple public finance sources), calculations, report generation and comparison. Required binaries and env/paths declared in SKILL.md (curl, jq, bc, python3, bash) align with the scripts' needs.
Instruction Scope
Runtime instructions and scripts are within the stated scope (fetch data, compute indicators, generate HTML/PDF, and serve reports). Two operational behaviors to note: (1) generate-pdf-report.sh launches python3 -m http.server on port 8888 and advertises direct download links — this exposes the reports directory over HTTP (serves all files in that directory) and may be reachable depending on container/network configuration; (2) filenames use user-supplied COMPANY_NAME without sanitization (e.g., ${COMPANY_NAME}_${STOCK_CODE}.html), which can enable path traversal or unexpected file creation if malicious input is provided. These are functional for the claimed feature but increase risk if the skill runs in a broad network context or with untrusted inputs.
Install Mechanism
No install spec; the package includes scripts and templates only. There are no downloads from third-party URLs or package installs embedded in an installer. This is lower risk than remote installs, but the skill includes executable scripts that will run when invoked.
Credentials
The skill requests no environment variables or external credentials. The dependencies (curl, jq, bc, python3) are reasonable for its functionality. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It starts a local HTTP server and writes files under its own directory (/app/skills/stock-analysis/reports/), which is normal for report generation. There is no evidence it modifies other skills or global configs.
Assessment
This skill appears to do what it says: fetch public market data, compute indicators, and produce downloadable HTML reports. Before installing or running it: 1) Run it in an isolated container or environment (do not bind the container port to a public host) because it launches a simple Python HTTP server on port 8888 that will expose the reports directory to the network if reachable. 2) Treat user-supplied inputs (company name / stock code) as untrusted: filenames are constructed without sanitization, which could allow path traversal or overwriting files — prefer safe names or validate/escape inputs. 3) Ensure the runtime has only expected tools (curl, jq, bc, python3) and that outbound network access is acceptable (the scripts call multiple public finance sites over HTTP/HTTPS). 4) If you need stricter privacy, modify generate-pdf-report.sh to bind the HTTP server to localhost only (python3 -m http.server --bind 127.0.0.1) or avoid starting a server and instead use the platform's file-download API. If you want me to, I can point out exact lines to harden (e.g., sanitize COMPANY_NAME, restrict server bind) or produce a patched generate-pdf-report.sh that is safer.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.0
Download zip
latestvk978f0fe2e9g481txrj10df9cx8301xy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Stock Analysis Skill - 股票投资分析 v1.4.1

Description

对上市公司进行系统性的投资价值分析,包括基本面、技术面、估值、同业对比。支持 A 股、港股、美股。

新增功能: 分析后自动生成可下载的 HTML/PDF 报告

Location

/app/skills/stock-analysis/

Triggers

  • "分析 XX 股票/公司"
  • "XX 值得投资吗"
  • "给 XX 估值/目标价"
  • "对比 XX 和 XX"
  • "生成 PDF 报告"

Scripts

脚本功能
analyze.sh综合分析主入口
analyze-with-pdf.sh分析 + PDF 生成一体化 🔴
generate-pdf-report.shPDF 报告生成 + 下载链接 🔴
fetch-price.sh实时价格获取
technical-analysis.sh技术分析
...其他脚本

🔴 PDF 报告下载功能

使用方式

cd /app/skills/stock-analysis/scripts
./analyze-with-pdf.sh 300433 蓝思科技

输出结果

  • 自动生成 HTML 报告
  • 启动 HTTP 服务器 (端口 8888)
  • 提供直接下载链接
  • 用户点击链接即可在浏览器中查看并另存为 PDF

下载链接格式

http://<服务器IP>:8888/<公司名>_<股票代码>.html

用户操作

  1. 点击提供的下载链接
  2. 在浏览器中打开报告
  3. Ctrl+P 选择 "另存为 PDF"
  4. 或右键链接选择 "另存为"

Workflow

Phase 1: 数据获取

  1. 自动获取实时行情
  2. 获取财务数据
  3. 获取技术面数据

Phase 2: 分析处理

  1. 财务比率计算
  2. 估值分析
  3. 同业对比
  4. 生成优选提示

Phase 3: 报告生成

  1. 生成 HTML 报告
  2. 启动 HTTP 服务器
  3. 提供下载链接
  4. 用户直接点击下载

Output Format

完整报告(HTML 格式)

  • 路径:/app/skills/stock-analysis/reports/
  • 直接可访问的下载链接
  • 浏览器友好,支持打印为 PDF

Configuration

在 TOOLS.md 中配置:

### Stock Analysis

- PDF 生成:启用
- HTTP 端口:8888
- 报告目录:/app/skills/stock-analysis/reports/

Version History

版本日期更新内容
v1.4.12026-03-16PDF 报告 + 直接下载链接 🔴
v1.4.02026-03-16PDF 生成基础功能
v1.3.02026-03-16同业优选提示
v1.2.02026-03-16技术分析功能
v1.1.02026-03-16数据获取功能
v1.0.02026-03-16初始版本

Dependencies

  • curl (必需)
  • jq (推荐)
  • bc (必需)
  • python3 (必需,用于 HTTP 服务器)
  • bash 4.0+

Limitations

⚠️ 部分 API 可能有访问限制 ⚠️ 不构成投资建议 ⚠️ 数据可能存在延迟

Files

33 total
Select a file
Select a file to preview.

Comments

Loading comments…