ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Company Onepager

v7.1.0

生成上市公司"一页纸"调研简报,整合基本信息、市场数据、近10年财务数据表格、近10年月K线图、股东结构、近期新闻。数据优先级:iFinD → Tushare → AkShare + Web Search。每个章节标注数据来源。使用场景:(1) 调研股票/公司信息 (2) 生成股票分析报告 (3) 整合多维数据形...

2· 68·0 current·0 all-time
by赖根@laigen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for laigen/company-onepager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Company Onepager" (laigen/company-onepager) from ClawHub.
Skill page: https://clawhub.ai/laigen/company-onepager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: TUSHARE_TOKEN
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install company-onepager

ClawHub CLI

Package manager switcher

npx clawhub@latest install company-onepager
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with included code (fetching iFinD/Tushare/AkShare data, building charts and PDFs). However there are metadata mismatches: the registry metadata lists only TUSHARE_TOKEN as a required credential, while SKILL.md and the code also require an iFinD auth_token stored in a config file path (~/.openclaw/workspace/skills/ifind-finance-data/mcp_config.json). The code enforces presence of TUSHARE_TOKEN even if the user intends to fall back to AkShare (odd design choice). These inconsistencies are likely engineering gaps but are relevant to trust.
!
Instruction Scope
Runtime instructions and code read an iFinD config file under ~/.openclaw/workspace/skills/ifind-finance-data and attempt to import/use other skill code (brave-search) if present — this cross-skill file access increases the attack surface. The iFinD fetch uses requests with verify=False (disables SSL verification). The code also calls web_search/brave_search and may send data to external network endpoints (iFinD API, Google Fonts, web search). The scripts will exit if TUSHARE_TOKEN is not set, even when only AkShare is intended. These behaviors go beyond a simple 'call Tushare' flow and merit review.
Install Mechanism
There is no formal install spec (instruction-only), which minimizes invisible installation steps. SKILL.md lists pip dependencies (tushare, akshare, matplotlib, weasyprint, etc.) — installing these is expected for the functionality but weasyprint can require extra system libraries and pip installs will pull network packages. No arbitrary binary downloads or obscure URLs were found in the manifest.
!
Credentials
The declared primaryEnv is TUSHARE_TOKEN (reasonable), but the code also requires an iFinD auth_token stored in a specific config file (not declared as a required env var in the registry). The skill forces presence/validation of TUSHARE_TOKEN even for AkShare fallback. It also attempts to read other skills' directories (ifind-finance-data, brave-search). Requiring and reading tokens/configs from the user's workspace and other skill directories is disproportionate if the user only expects a local data‑puller; ensure you are comfortable storing tokens in the specified files/locations.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It writes output (data.json, chart, markdown, html, pdf) under ~/.openclaw/workspace/temp which is expected. The notable point is that it reads config files in another skill's workspace rather than only its own files — this is not privilege escalation by itself but increases the blast radius if a token is present there.
What to consider before installing
Before installing: - Expect to provide your TUSHARE_TOKEN environment variable; the tool will exit if TUSHARE_TOKEN is not set even if you only want to use AkShare. Verify you are willing to set this. - The skill will also try to read an iFinD auth_token from ~/.openclaw/workspace/skills/ifind-finance-data/mcp_config.json; if you don't have iFinD credentials this is optional but the code references that path. Review that file location and avoid placing sensitive tokens in shared/other-skill folders. - The fetch implementation calls an iFinD API endpoint and sets requests.verify=False (disables TLS verification). That weakens transport security; consider editing the code to enable certificate verification (verify=True) before use. - The skill imports/uses other skill code (brave-search) if present and performs web searches and external network calls (iFinD, Google Fonts, possible web search APIs). If you need to protect data or limit outbound network access, run this in an isolated environment or container. - Dependencies include WeasyPrint and other Python packages that may require system libraries; review and install dependencies in a controlled environment. - If you plan to use it, audit the included scripts (fetch_company_data.py, generate_markdown_v6.py) yourself for any additional endpoints or logging of tokens, and consider removing/adjusting any verify=False lines and hard exit behavior for missing tokens. If you want, I can highlight the exact lines in the code that read external tokens, disable SSL verification, and import other skills for you to inspect further.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
EnvTUSHARE_TOKEN
Primary envTUSHARE_TOKEN
china-marketvk972y3xwkjejwq9v3w7my0axwn84rfb1company-researchvk972y3xwkjejwq9v3w7my0axwn84rfb1data-integrationvk972y3xwkjejwq9v3w7my0axwn84rfb1financial-datavk972y3xwkjejwq9v3w7my0axwn84rfb1financial-reportvk972y3xwkjejwq9v3w7my0axwn84rfb1latestvk972y3xwkjejwq9v3w7my0axwn84rfb1markdownvk972y3xwkjejwq9v3w7my0axwn84rfb1onepagervk972y3xwkjejwq9v3w7my0axwn84rfb1pdfvk972y3xwkjejwq9v3w7my0axwn84rfb1report-generationvk972y3xwkjejwq9v3w7my0axwn84rfb1stock-analysisvk972y3xwkjejwq9v3w7my0axwn84rfb1
68downloads
2stars
2versions
Updated 2w ago
v7.1.0
MIT-0
赖根@laigen
china-marketcompany-researchdata-integrationfinancial-datafinancial-reportlatestmarkdownonepagerpdfreport-generationstock-analysis
Download

Company Onepager - 上市公司"一页纸"简报(v7.1)

⚠️ 必需凭证配置

本 skill 需要配置两个数据源凭证才能正常运行:

凭证类型配置方式获取途径
TUSHARE_TOKEN环境变量export TUSHARE_TOKEN="your_token" 或写入 ~/.bashrchttps://tushare.pro
iFinD auth_token配置文件~/.openclaw/workspace/skills/ifind-finance-data/mcp_config.json 中的 auth_token 字段iFinD终端 → 工具 → 常用工具 → 数据MCP

配置示例:

# Tushare Token(必需)
export TUSHARE_TOKEN="your_tushare_token"

# iFinD Token(可选,用于获取更多数据)
# 将 auth_token 写入 mcp_config.json

降级机制: 当高优先级数据源凭证缺失时,自动降级到下一级:

  • iFinD 凭证缺失 → 使用 Tushare
  • Tushare 凭证缺失 → 使用 AkShare(无需凭证)
  • 但 TUSHARE_TOKEN 环境变量必须设置(代码会检查),即使只用 AkShare

核心特性

  1. 数据优先级:iFinD → Tushare → AkShare(不使用网络搜索作为主要数据源)
  2. 近10年财务数据表格:包含每股营收、每股现金流、每股盈利、每股派息、每股净资产、毛利率、净利润率、主营收入、净利润、库存等指标
  3. 近10年月K线图:价格走势 + 成交额 + Zigzag趋势线
  4. 数据来源标注:每个章节标注数据来源
  5. Web Search 增强:通过 web_search 获取投资亮点、核心产品、品牌壁垒等信息
  6. 智能股东识别:自动过滤托管机构,识别真正控股股东

Workflow

python3 scripts/onepager.py <股票代码>

示例:

python3 scripts/onepager.py 300308.SZ
python3 scripts/onepager.py 600519.SH

数据获取优先级

优先级数据源配置要求数据覆盖
1iFinDauth_token in mcp_config.json基本信息、财务数据、K线、股东、新闻
2TushareTUSHARE_TOKEN (env var)基本信息、市场数据、财务数据、K线、股东
3AkShare无需配置基本信息、市场数据(兜底)

注意: 即使只使用 AkShare,也必须设置 TUSHARE_TOKEN 环境变量(代码启动时检查)。

简报内容结构

1. 公司基本信息

  • 公司名称、股票代码、交易所、申万行业、上市时间、总市值
  • 来源标签:数据来源: iFinD/Tushare/AkShare

2. 市场信息

  • 最新股价、52周高低、PE(TTM)、PB、总市值、股息率
  • 来源标签:数据来源: Tushare

3. 近10年月K线图

  • 月度收盘价走势
  • 价格区间(最高/最低)
  • 成交额柱状图
  • Zigzag趋势线(8%阈值识别转折点)
  • 统计最高最低价标注

4. 近10年财务数据表格

指标说明
每股营收(元)年度营收 / 总股本
每股现金流(元)经营现金流 / 总股本
每股盈利(元)EPS
每股派息(元)年度分红
每股净资产(元)BPS
毛利率(%)(营收-成本)/营收
净利润率(%)净利润/营收
主营收入(亿元)年度营业收入
净利润(亿元)年度净利润
库存(亿元)资产负债表库存项

表格列:各自然年(2016-2025),历史数据在左侧,最新年份在右侧

5. 股东结构

  • 控股股东、前五大股东表格(名称+持股比例)

6. 近期主要新闻

  • 近30天重要新闻(来源:iFinD 新闻服务)

7. 数据来源汇总表

  • 汇总所有数据类型及实际使用的数据源

资源文件

scripts/

文件功能
onepager.py主流程(数据获取→图表→Markdown→PDF)
fetch_company_data.py数据获取(iFinD→Tushare→AkShare降级)
generate_chart.py10年月K线图+Zigzag
generate_markdown.pyMarkdown报告(含10年财务表格+来源标注)
generate_pdf.pyPDF生成(Google Fonts中文字体)

references/

文件内容
data_sources.md数据源优先级与字段映射

注意事项

  1. 网络环境:iFinD 和 Tushare API 需要稳定网络环境,代理可能导致超时
  2. Token 配置:确保 iFinD/Tushare token 有效且已正确配置
  3. 数据完整性:脚本会验证数据完整性,不足时会明确提示而非"待补充"
  4. 降级机制:高优先级数据源失败时自动降级到下一级
  5. 中文支持:PDF 使用 Google Fonts (Noto Sans SC),无需本地中文字体

安装依赖

pip install tushare akshare matplotlib numpy requests weasyprint markdown

Comments

Loading comments...