ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A Stock Evening

v1.0.0

Sends a daily 15:10 summary of A-share closing data including index changes, volume, hot sectors, and main capital flow via Feishu.

0· 61·0 current·0 all-time
by@chrislzg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chrislzg/a-stock-evening.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "A Stock Evening" (chrislzg/a-stock-evening) from ClawHub.
Skill page: https://clawhub.ai/chrislzg/a-stock-evening
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install a-stock-evening

ClawHub CLI

Package manager switcher

npx clawhub@latest install a-stock-evening
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with implementation: the script fetches A‑share data from EastMoney endpoints, builds a report, and sends via the OpenClaw Feishu channel. The network endpoints used (eastmoney push2 APIs) are consistent with the stated data sources. One unexpected element: the script hardcodes a Feishu user id (feishuUserId = 'ou_d70ce91dc6fdd7aa7ceacb1c312618a0'), which may not be appropriate for all users and is not explained in SKILL.md.
!
Instruction Scope
SKILL.md stays within scope (fetch data, format report, send via Feishu). However the runtime script uses child_process.execSync to run a shell command (openclaw message send) with a dynamically generated message interpolated into the command string. The code only escapes double quotes and newlines, leaving other shell metacharacters (e.g., $(...), ``, ;, & ) unescaped — if any API response field contains crafted content this could result in shell command execution. The script also assumes openclaw CLI presence and uses a hardcoded recipient id, which may leak messages to an unexpected third party.
Install Mechanism
Instruction-only skill with a single included script; there is no install spec, no external archive downloads, and no packages installed by the skill itself. This is a low-risk install footprint.
Credentials
The skill declares no required environment variables or credentials. It relies on the OpenClaw CLI to handle Feishu delivery (so OpenClaw credentials are used implicitly). That is proportionate, but users should be aware the script will run with whatever OpenClaw/agent identity is available and will send messages under that identity. The hardcoded Feishu user id is not declared and may be inappropriate.
Persistence & Privilege
The skill is not always:true and does not request system-wide changes. It does invoke the openclaw CLI to send messages (normal for this purpose). It does not modify other skills or system-wide configs.
What to consider before installing
This skill appears to do what it says (fetch EastMoney data and send a closing report via Feishu), but there are two things to consider before installing: - Command injection risk: the script builds a shell command with execSync and interpolates the whole report into it. Although it escapes quotes/newlines, other shell metacharacters from the fetched data could allow command execution. Prefer a safer send mechanism (use an API/client library or execFile with args) or robustly escape all shell metacharacters. - Hardcoded recipient: the script contains a fixed Feishu user id. Confirm this id is intended; otherwise modify the script to accept a configured recipient (via a declared setting or env var) to avoid sending reports to the wrong person. Other practical checks: ensure the openclaw CLI will be available in the runtime environment, and consider running the skill in a constrained environment (limited privileges) until you review and, if needed, patch the script to remove shell execution and make the recipient configurable.
scripts/closing-summary.mjs:322
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97evt1p1nm9gyhm34nx9q8rph84t35e
61downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@chrislzg
latest
Download

A股收盘报告

每个A股交易日 15:10 通过飞书发送当日收盘情况总结,包含主力资金状况。

触发条件

  • 时间:每交易日 15:10(周一至周五)
  • 时区:Asia/Shanghai
  • 注意:节假日需额外判断

内容

  • 上证指数、深证成指、创业板指、沪深300 涨跌幅
  • 涨跌分布统计(上涨/下跌/平盘)
  • 主力资金状况(重点)
    • 主力资金净流入/净流出
    • 主力资金净流入板块 Top 5
    • 主力资金净流出板块 Top 5
  • 热门板块
  • 成交额
  • 操作建议

实现

使用东方财富股票 API 获取实时数据:

  • 指数: https://push2.eastmoney.com/api/qt/ulist.np/get
  • 行业资金流向: https://push2.eastmoney.com/api/qt/clist/get (fid=f62 主力资金)
  • 涨跌统计: https://push2.eastmoney.com/api/qt/ulist.np/get (f104/f105/f106)

发送

通过 OpenClaw 飞书通道发送给用户。

使用方法

# 仅生成报告
node scripts/closing-summary.mjs

# 生成并发送到飞书
node scripts/closing-summary.mjs --send

Cron 定时任务

设置每天 15:10 执行(OpenClaw 会自动判断是否为交易日):

openclaw cron add "10 15 * * 1-5" --skill a-stock-evening -- --send

Comments

Loading comments...