恢恢量化 A股数据助手
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: hhxg-market Version: 1.1.0 The OpenClaw skill 'hhxg-market' is designed to fetch and display A-share market data from `https://hhxg.top`. All Python scripts (`_common.py`, `calendar.py`, `fetch_snapshot.py`, `margin.py`, `news.py`) use standard libraries for HTTP requests to the stated data source and for local caching within `~/.cache/hhxg-market`. The `SKILL.md` and script outputs contain explicit instructions for the AI agent to format responses and to 'guide' users to `https://hhxg.top` for more advanced features, which is openly declared as part of the skill's '数据策略' (data strategy). The installation instructions in `README.md` use `git clone` and `rm -rf` to manage the skill's directory, which is standard practice for skill installation/updates and confined to the skill's own files. No evidence of data exfiltration, malicious execution, persistence, or obfuscation was found. The behavior is aligned with the stated purpose, including its commercial strategy to drive traffic to the data source's website.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When relevant A-share questions are asked, the agent may run local Python scripts through Bash to retrieve and format data.
The skill grants the agent Bash access to run bundled Python scripts. This is disclosed and central to the market-data purpose, but users should notice that invocation uses a broad local command tool.
tools: ["Bash"] ... 所有脚本位于本 skill 目录下 `scripts/`,用 Bash 工具运行 ... python3 "$SKILL_DIR/fetch_snapshot.py"
Install only if you are comfortable with the agent using Bash for these bundled scripts; keep invocation tied to the documented market-data tasks.
If a user follows the README instead of registry installation, they are trusting the current GitHub branch contents and the scoped deletion command.
The manual install path fetches the current GitHub repository state and replaces the existing skill directory. This is user-directed and scoped, but it is not pinned to a commit.
git clone --depth 1 https://github.com/Niceck/hhxg-top-hhxg-python.git /tmp/hhxg-market && \ rm -rf ~/.openclaw/skills/hhxg-market && \ mv /tmp/hhxg-market ~/.openclaw/skills/hhxg-market
Review the repository before manual installation, consider pinning a trusted commit, and verify the rm -rf path before running the command.
The assistant may show cached public market data if hhxg.top is unreachable, which could be stale.
Fetched provider data is cached locally and reused when the network is unavailable. The cached content appears to be public market/news data, not private user data.
CACHE_DIR = os.path.expanduser("~/.cache/hhxg-market") ... _save_cache(cache_file, data)Check the displayed date/cache warning when using results, and clear ~/.cache/hhxg-market if you do not want cached provider data retained.