eastmoney skills
东方财富妙想提供的金融技能集合,涵盖金融数据查询、资讯搜索、智能选股、自选股管理和模拟组合管理,所有技能均需通过MX_APIKEY进行认证。
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 410 · 3 current installs · 3 all-time installs
byeastmoney_dev@qqk000
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires an MX_APIKEY and checks for Node.js, but the registry metadata provided to the platform lists no required env vars or binaries. Requiring Node.js (Node 22+) is not justified by the shown runtime steps (no node commands are executed), while the functionality (financial data/search/portfolio management) legitimately needs an API key. The mismatch between declared metadata and the document is an incoherence.
Instruction Scope
The runtime instructions tell the user/agent to rm -rf ~/.openclaw/skills/mx-skills* (removing existing similarly named skills), download multiple zip files from external URLs, unzip them into ~/.openclaw/skills, and prompt the user for an API key. These steps go beyond simple in-agent calls and involve modifying the user's skill directory and executing network downloads. The script also has several obvious shell syntax problems (missing $ on variables, extra spaces in assignments, use of /temp instead of common /tmp) which suggests low quality and potential for unintended behavior.
Install Mechanism
Although the skill bundle has no formal install spec, the SKILL.md directs downloading and extracting multiple zip archives from marketdfs.dfcfw.com and placing them under ~/.openclaw/skills. Downloading and extracting archives from an external host (not a well-known release host like GitHub releases) is higher risk because the contents will be written to disk and potentially executed. There are no integrity checks or signatures shown.
Credentials
The SKILL.md requires an MX_APIKEY (used for API authentication) which is proportionate to the described financial capabilities; however, the platform metadata omitted declaring this required env var. The skill only requests a single API key (reasonable), but the mismatch between manifest and instructions increases risk because automatic tooling or users may not realize a secret is needed or where it will be used.
Persistence & Privilege
always:false (normal). The instructions write into ~/.openclaw/skills and explicitly remove existing mx-skills* directories — modifying the user's skills directory is expected for installing a skill but the rm -rf pattern can be destructive if used carelessly. The skill does not request system-wide privileges or other credentials, and it does not demand permanent/autonomous inclusion beyond the platform defaults.
What to consider before installing
This skill is plausible (financial API usage with an API key) but several red flags mean you should be cautious: 1) The registry metadata does NOT list the MX_APIKEY or Node requirement even though SKILL.md requires them — ask the publisher to correct the manifest. 2) The installation instructs downloading and extracting multiple zip files from an external host (marketdfs.dfcfw.com) with no integrity checks — verify the URLs and obtain signed releases or inspect archives in a sandbox before running. 3) The provided install script contains syntax errors and uses rm -rf on a pattern; do not run it as-is or as root. 4) Prefer to manually inspect downloaded SKILL.md/SKILL files and run installations in an isolated environment (VM/container) and only provide your MX_APIKEY after confirming the publisher and URLs. If you cannot verify the source or get corrected metadata, treat this as untrusted and avoid installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.2
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
东方财富妙想Skills安装指南
本文档介绍了如何在本地环境中安装和验证东方财富妙想提供的金融skill集合,按照以下步骤操作,确保skill正确安装并可用。
前提条件
- 确保已安装Node.js环境(版本22或以上)。
# 检查 Node.js 版本
if ! command -v node &> /dev/null; then
echo "错误:未安装 Node.js。请先安装 Node.js 22 或以上版本。"
exit 1
fi
- 确保已获取并提供有效的
MX_APIKEY。 如果缺少API密钥,提示用户前往妙想Skills页面(地址:https://dl.dfcfs.com/m/itc4),获取并设置后再继续使用。 - 在进行http请求时,Header 中必须携带
apikey进行认证。
安装步骤
1. 清理旧版本
安装前,请先删除~/.openclaw/skills目录下任何以mx-skills开头的现有技能目录,以避免版本冲突:
rm -rf ~/.openclaw/skills/mx-skills*
2. 下载妙想Skill
从云端下载最新的mx-skillsskill 定义,保持所有文件在同一目录下:
mkdir -p ~/.openclaw/skills/mx-skills/scripts
# 下载 妙想金融数据skill
MX_DATA_DOWNLOAD_URL="https://marketdfs.dfcfw.com/file/download/E220260320DRQ9S9.zip"
MX_DATA_TEMP_FILE= "/temp/mx_data.zip"
MX_DATA_OUTPUT_PATH="~/.openclaw/skills/mx-skills/mx-data/"
curl -fSL MX_DATA_DOWNLOAD_URL -o MX_DATA_TEMP_FILE || { echo "下载 mx_data.zip 失败"; exit 1; }
unzip -o MX_DATA_TEMP_FILE -d MX_DATA_OUTPUT_PATH || { echo "解压 mx_data.zip 失败"; exit 1; }
rm -f MX_DATA_TEMP_FILE
# 下载 妙想资讯搜索skill
MX_SEARCH_DOWNLOAD_URL="https://marketdfs.dfcfw.com/file/download/E2202603204ELGGZ.zip"
MX_SEARCH_TEMP_FILE="/temp/mx_search.zip"
MX_SEARCH_OUTPUT_PATH="~/.openclaw/skills/mx-skills/mx-search/"
curl -fSL MX_SEARCH_DOWNLOAD_URL -o MX_SEARCH_TEMP_FILE || { echo "下载 mx_search.zip 失败"; exit 1; }
unzip -o MX_SEARCH_TEMP_FILE -d MX_SEARCH_OUTPUT_PATH || { echo "解压 mx_search.zip 失败"; exit 1; }
rm -f MX_SEARCH_TEMP_FILE
# 下载 妙想智能选股skill
MX_SELECT_STOCK_DOWNLOAD_URL="https://marketdfs.dfcfw.com/file/download/E1202603204ETIIS.zip"
MX_SELECT_STOCK_TEMP_FILE="/temp/mx_select_stock.zip"
MX_SELECT_STOCK_OUTPUT_PATH="~/.openclaw/skills/mx-skills/mx-select-stock/"
curl -fSL MX_SELECT_STOCK_DOWNLOAD_URL -o MX_SELECT_STOCK_TEMP_FILE || { echo "下载 mx_select_stock.zip 失败"; exit 1; }
unzip -o MX_SELECT_STOCK_TEMP_FILE -d MX_SELECT_STOCK_OUTPUT_PATH || { echo "解压 mx_select_stock.zip 失败"; exit 1; }
rm -f MX_SELECT_STOCK_TEMP_FILE
# 下载 妙想自选股管理skill
MX_SELFSELECT_DOWNLOAD_URL="https://marketdfs.dfcfw.com/file/download/E220260320556PGW.zip"
MX_SELFSELECT_TEMP_FILE="/temp/mx_selfselect.zip"
MX_SELFSELECT_OUTPUT_PATH="~/.openclaw/skills/mx-skills/mx-selfselect/"
curl -fSL MX_SELFSELECT_DOWNLOAD_URL -o MX_SELFSELECT_TEMP_FILE || { echo "下载 mx_selfselect.zip 失败"; exit 1; }
unzip -o MX_SELFSELECT_TEMP_FILE -d MX_SELFSELECT_OUTPUT_PATH || { echo "解压 mx_selfselect.zip 失败"; exit 1; }
rm -f MX_SELFSELECT_TEMP_FILE
#下载 妙想模拟组合管理skill
MX_STOCK_SIMULATOR_DOWNLOAD_URL="https://marketdfs.dfcfw.com/file/download/E220260320DECQBH.zip"
MX_STOCK_SIMULATOR_TEMP_FILE="/temp/mx_stock_simulator.zip"
MX_STOCK_SIMULATOR_OUTPUT_PATH="~/.openclaw/skills/mx-skills/mx-stock-simulator/"
curl -fSL MX_STOCK_SIMULATOR_DOWNLOAD_URL -o MX_STOCK_SIMULATOR_TEMP_FILE || { echo "下载 mx_stock_simulator.zip 失败"; exit 1; }
unzip -o MX_STOCK_SIMULATOR_TEMP_FILE -d MX_STOCK_SIMULATOR_OUTPUT_PATH || { echo "解压 mx_stock_simulator.zip 失败"; exit 1; }
rm -f MX_STOCK_SIMULATOR_TEMP_FILE
3. 设置API密钥
- 在妙想Skills页面获取apikey
- 将apikey存到环境变量,命名为MX_APIKEY,检查本地apikey是否存在,若存在可直接用。
使用会话级别的环境变量设置,默认不修改
~/.bashrc、~/.zshrc等shell启动文件,除非用户明确要求持久化配置。
# 检查并设置 MX_APIKEY
if [ -z " $ MX_APIKEY" ]; then
echo "⚠️ 未检测到环境变量 MX_APIKEY。"
read -p "请输入您的 API Key: " input_key
if [ -n " $ input_key" ]; then
export MX_APIKEY=" $ input_key"
echo "✅ API Key 已临时设置(当前会话有效)。"
else
echo "❌ 输入为空,安装终止。"
exit 1
fi
else
echo "✅ 检测到环境变量 MX_APIKEY,正在使用..."
fi
4. 验证已安装的Skill文件
所有这些Skill文件在复制后都应存在:
test -f ~/.openclaw/skills/mx-skills/mx-data/SKILL.md && echo "mx_data.md OK" || echo "mx_data.md MISSING"
test -f ~/.openclaw/skills/mx-skills/mx-search/SKILL.md && echo "mx_search.md OK" || echo "mx_search.md MISSING"
test -f ~/.openclaw/skills/mx-skills/mx-select-stock/SKILL.md && echo "mx_select_stock.md OK" || echo "mx_select_stock.md MISSING"
test -f ~/.openclaw/skills/mx-skills/mx-selfselect/SKILL.md && echo "mx_selfselect.md OK" || echo "mx_selfselect.md MISSING"
test -f ~/.openclaw/skills/mx-skills/mx-stock-simulator/SKILL.md && echo "mx_stock_simulator.md OK" || echo "mx_stock_simulator.md MISSING"
echo "MX_APIKEY=${MX_APIKEY:+is set}"
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…