Quant Stock

What to consider before installing or enabling this skill: - Don’t run the scripts or install the cron job until you inspect and, if needed, modify them. install_cron.sh will edit your crontab and run_task.sh will attempt to run on a schedule. - Inspect and remove or replace hard-coded recipients: run_task.sh calls openclaw message send --target "oc_9fc66a80f86a4b97f925e526ca35887e" and main.py has FEISHU_CHAT_ID = "oc_0142a8d63ace2e4db368ae7b607e702f". Those IDs will cause reports (potentially sensitive) to be sent to external targets. Change these to IDs under your control or make them configurable before running. - The SKILL.md suggests creating feishu_config.json, but main.py expects it in an odd location (parent of the project directory). Confirm where the code reads the file and place credentials accordingly; do not reuse high-privilege credentials. Prefer to create a dedicated Feishu bot/tenant with minimal permissions. - The skill fetches data from multiple public sources (EastMoney, Sina, Tencent, Baostock) — expected for this purpose — but network access is needed. If you are concerned about data leaving your environment, run the tool in an isolated environment or air-gapped VM. - The repo references update_hot.sh in install_cron.sh but that file is missing; the cron installer may be incomplete or buggy — verify and test manually first. - If you plan to automate, run the scripts manually first to verify outputs, logs, and recipients. Review run_task.sh, main.py and any CLI calls (openclaw) to ensure no unexpected exfiltration. - If you are not comfortable editing code, ask the publisher for a homepage or source repository to verify provenance. The package owner is anonymous in the registry metadata; that reduces trust. Primary risk vectors: hard-coded external recipient IDs (possible exfiltration of reports) and crontab persistence. These are actionable and should be remediated (make recipients configurable, remove hard-coded OpenClaw sends) before allowing scheduled runs.