Baostock Skill

v1.0.0

Query Chinese A-share market data using BaoStock. Use when user asks for stock quotes, historical K-line, fundamentals, or market analysis. Supports real-tim...

⭐ 0· 114·0 current·0 all-time

by@liyico

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liyico/baostock-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Baostock Skill" (liyico/baostock-skill) from ClawHub.
Skill page: https://clawhub.ai/liyico/baostock-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install baostock-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install baostock-skill

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The SKILL.md and scripts claim to run a local CLI (baostock) or the included Python CLI (scripts/baostock_cli.py), but index.ts calls a hard-coded absolute path (/Users/nico/.openclaw/workspace/skills/baostock-skill/baostock) that is not part of the bundle. skill.json's main/scripts entries reference non-existent files (scripts/baostock_interface.py, scripts/query_stock.py), indicating inconsistent packaging and leftover developer paths. These mismatches are not proportional to the stated purpose and suggest sloppy packaging or misconfiguration.

Instruction Scope

SKILL.md suggests invoking a CLI; the included Python CLI looks reasonable. However, index.ts builds a shell command by concatenating unsanitized input into an exec() call (args like --symbol ${symbol} are inserted without escaping). This permits command injection if symbol/type/etc. contain shell metacharacters. index.ts also invokes an executable at an absolute path rather than the included script, which could execute an attacker-controlled binary if that path is created. skill.json grants read/write to ~/.openclaw/workspace/** which could expand the scope of what the skill can access.

ℹ

Install Mechanism

There is no install spec (instruction-only), which is low risk in principle. The SKILL.md asks users to pip install baostock/pandas. No remote downloads or archive extraction are present in the package. However, the package metadata lists dependencies and requirements and references missing files, indicating packaging errors that should be resolved before trusting the skill.

Credentials

The skill requests no environment variables, which is appropriate. But skill.json requests broad file-system permissions (read/write on ~/.openclaw/workspace/**). Given the hard-coded developer path and exec usage, those permissions are disproportionate and could allow the skill to read or modify unrelated workspace files or caches. The code itself doesn't require secrets, but the broad file permissions increase risk.

ℹ

Persistence & Privilege

The skill does not set always:true and does not request elevated platform privileges. That is appropriate. However, skill.json's declared file-system permissions provide a persistent capability to read/write the OpenClaw workspace; combined with the exec and path issues this is noteworthy but not an automatic privilege escalation.

Scan Findings in Context

[no_pre_scan_findings] expected: Static pre-scan reported no regex hits. That doesn't mean the package is safe — the manual review found multiple logical/integration issues and a command-injection vulnerability in index.ts.

What to consider before installing

Do not install or enable this skill yet. The package contains several inconsistencies and a concrete risk: index.ts runs a shell command by concatenating user-supplied arguments into child_process.exec and calls a hard-coded developer path (/Users/nico/...), which can lead to command injection or execution of an unexpected binary. Before installing, ask the maintainer to: 1) fix skill.json to point to existing entry points and remove stale developer paths; 2) make index.ts invoke the included Python script (scripts/baostock_cli.py) or use a safe child_process.spawn with an args array (no shell concatenation) and proper escaping; 3) narrow file-system permissions (avoid broad read/write to ~/.openclaw/workspace/** unless strictly needed); 4) provide an install spec or clear instructions that match the actual files; and 5) re-run a security review. If you must test, run it in an isolated environment (VM or container) and do not grant it access to sensitive workspaces or credentials.

✗

index.ts:32

Shell command execution detected (child_process).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0f8z4vhah0gc9z73e5z2c583n2q1localvk97d0f8z4vhah0gc9z73e5z2c583n2q1

114downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

BaoStock Finance Skill

This skill wraps BaoStock (http://baostock.com) to provide easy access to Chinese A-share market data. BaoStock is a stable domestic data source with no compilation requirements.

What It Does

Real-time quotes: Latest price, volume, change for A-shares
Historical data: Daily, weekly, monthly, minute bars
K-line data: OHLC with adjust factors (qfq, hfq)
Financial data: Basic indicators, PE/PB, market cap
Index data: SSE, SZSE, CSI indices
Stock basics: List of A-shares, industry classification

When to Use

User asks like:

"查询贵州茅台最新股价"
"获取宁德时代最近30天的日线数据"
"列出所有银行股"
"分析中国平安的市盈率"
"获取上证指数历史数据"

How to Invoke

# Single stock quote
baostock --symbol sh600519 --type quote

# Historical K-line (daily)
baostock --symbol sh600519 --type history --start-date 2024-01-01 --end-date 2024-12-31

# Minute data (5-minute intervals)
baostock --symbol sh600519 --type history --frequency 5 --start-date 2024-03-01

# Stock list (all A-shares)
baostock --type stock-list

# Index data
baostock --symbol sh000001 --type index-history --start-date 2024-01-01

Dependencies

Python 3.8+
baostock package (pip install baostock)
pandas (should be installed)

pip3 install baostock

Data Source

BaoStock fetches data from BaoXin (宝新) data provider. It is:

✅ Domestic source, no external network issues
✅ Free for non-commercial use
✅ Supports minute-level data
⚠️ Some delay for real-time data (~15 min for minute bars)

Output Format

Default: JSON

{
  "symbol": "sh600519",
  "name": "贵州茅台",
  "price": 1680.50,
  "change": 1.23,
  "pct_change": 0.07,
  "volume": 1234567,
  "amount": 2000000000,
  "timestamp": "2025-03-18 15:00:00"
}

For historical data:

[
  {
    "date": "2025-03-18",
    "open": 1670.00,
    "high": 1690.00,
    "low": 1668.50,
    "close": 1680.50,
    "volume": 1234567,
    "amount": 2000000000
  }
]

Integration with OpenClaw

This skill can be assigned to finance.yaml role:

plugins:
  allow:
    - baostock-skill
    - feishu-doc
    - feishu-bitable

Limitations

Real-time quotes are actually 15-min delayed (free tier)
Some stocks may have missing data (new listings)
No direct access to order book (Level 2)
API rate limits: ~100 requests/minute

Troubleshooting

Issue	Check
Import error	`pip3 install baostock`
No data returned	Check symbol format (sh/sz prefix) and trading day
Network error	BaoStock uses domestic servers; should be fine

Examples

# Get all stock names and codes
baostock --type stock-list --output stocks.csv

# Get daily history for last 30 days
baostock --symbol sh600519 --type history --days 30

# Get 5-minute bars for today (if market open)
baostock --symbol sh600519 --type history --frequency 5

Comments

Loading comments...