ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gangtise Kb

v1.0.0

Query Gangtise knowledge base API to search and retrieve financial/market information. Use when the user asks about stocks, companies, market concepts, finan...

0· 212·2 current·2 all-time
by@hmaya

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hmaya/gangtise-kb.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gangtise Kb" (hmaya/gangtise-kb) from ClawHub.
Skill page: https://clawhub.ai/hmaya/gangtise-kb
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gangtise-kb

ClawHub CLI

Package manager switcher

npx clawhub@latest install gangtise-kb
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and scripts match the stated purpose (querying Gangtise knowledge base). However the repository includes a pre-populated config.json with ACCESS_KEY/SECRET_KEY (credentials) and the top-level wrapper expects a local binary (gangtise-kb/gangtise-kb.py) that is not present in the file manifest — packaging is inconsistent with the expected runtime.
Instruction Scope
SKILL.md and the scripts only call Gangtise API endpoints and store/use API credentials; they do not attempt to read unrelated system files. Concerns: multiple scripts disable SSL certificate verification (ctx.check_hostname=False and verify_mode=CERT_NONE or use of ssl._create_unverified_context()), which weakens transport security. temp_query.py performs several automated queries when run (not harmful by itself but will send queries using whatever credentials are present).
Install Mechanism
This is an instruction-and-script-only skill with no install spec or external downloads. No archive extraction or remote installers are used.
!
Credentials
The skill declares no required environment variables, but the package ships with a filled config.json containing ACCESS_KEY and SECRET_KEY. Including live credentials in the bundle is disproportionate and risky (leaked/compromised keys, unintended usage). The scripts will use those keys automatically if the user does not overwrite them. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request elevated privileges and is not always-enabled. It stores configuration in a local config.json file (its own path) and configure.py sets file permissions to 600. That behavior is expected, but the presence of a pre-filled config.json means the skill will persist and use embedded credentials unless changed.
What to consider before installing
This skill appears to implement a legitimate Gangtise KB client, but there are notable red flags you should address before using it: 1) The package includes config.json with ACCESS_KEY and SECRET_KEY already filled — do not assume these are safe to use. Remove or overwrite that file and provide your own credentials (and rotate any real keys if published). 2) The network code disables SSL certificate verification; consider editing get_token.py/query_kb.py/temp_query.py to use normal certificate checks (remove the check_hostname/verify_mode overrides or use a verified context). 3) The top-level wrapper expects a binary gangtise-kb/gangtise-kb.py which is not present — the skill may fail or behave unexpectedly; inspect and test in a sandbox. 4) Run these scripts in a controlled environment (offline or network-restricted VM) until you replace credentials and fix SSL settings. If you plan to grant persistent or autonomous invocation to an agent, be extra cautious because the embedded credentials could be used without further prompts. If you want me to, I can show the exact lines to change to re-enable SSL verification or help remove the embedded credentials safely.

Like a lobster shell, security has layers — review code before you run it.

latestvk9797js29fydx2j0y0y2gc0735832z7w
212downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@hmaya
latest
Download

Gangtise Knowledge Base Skill

This skill provides access to Gangtise's knowledge base API for querying financial and market information.

First Time Setup

Before using this skill, you need to configure your API credentials:

python3 scripts/configure.py

You will be prompted to enter your Access Key and Secret Key, which can be obtained from: https://open.gangtise.com

Authentication

The API uses OAuth2-style authentication:

  1. Use Access Key + Secret Access Key to get an access token via loginV2
  2. V2 接口返回的 accessToken 已经携带了 Bearer 前缀,后续接口调用不需要再拼接

Auth Request

{
  "accessKey": "your-access-key",
  "secretAccessKey": "your-secret-key"
}

Auth Response

{
  "code": "000000",
  "data": {
    "accessToken": "Bearer xxxx-xxxx-xxxx-xxxx",
    "expiresIn": 3600,
    "uid": 123,
    "userName": "your-name",
    "tenantId": 1,
    "time": 1704067200
  }
}

Base URL

  • Base URL: https://open.gangtise.com

Available Scripts

Configuration (First Time Setup)

python3 scripts/configure.py

Interactive setup for API credentials. Run this first before using any other scripts.

Get Access Token

python3 scripts/get_token.py

Returns a valid access token for API calls.

Query Knowledge Base

# Basic query
python3 scripts/query_kb.py "比亚迪最新消息"

# With options
python3 scripts/query_kb.py "特斯拉" --type 10,40 --top 5 --days 180

# With explicit token
python3 scripts/query_kb.py "宁德时代" --token YOUR_TOKEN

API Endpoints

Authentication

  • POST /application/auth/oauth/open/loginV2
    • Body: { "accessKey": "...", "secretAccessKey": "..." }
    • Returns: { "code": "000000", "data": { "accessToken": "..." } }
    • Note: V2接口返回的accessToken已经携带了Bearer前缀

Knowledge Base Query

  • POST /application/open-data/ai/search/knowledge/batch
    • Header: Authorization: Bearer {token}
    • Content-Type: application/json

Request Parameters

参数名必选类型说明
queriesList<String>查询条件列表,最大支持5个查询条件
topInteger返回文档数量,默认10,最大支持20
resourceTypesList<Integer>知识库资源类型列表
knowledgeNamesList<String>知识库类型(默认只使用系统库)
startTimeLong数据查询开始时间(13位时间戳)
endTimeLong数据查询结束时间(13位时间戳)

Resource Types

代码类型说明
10券商研究报告证券公司发布的研究报告
20内部研究报告机构内部研究报告
40首席分析师观点分析师观点文章
50公司公告上市公司公告
60会议平台纪要会议纪要
70调研纪要公告调研纪要
80网络资源纪要网络资源
90产业公众号产业相关公众号文章

Knowledge Names

  • system_knowledge_doc - 系统库(默认)
  • tenant_knowledge_doc - 租户库

Response Format

{
  "code": "000000",
  "msg": "操作成功",
  "status": true,
  "data": [
    {
      "query": "查询问题",
      "data": [
        {
          "content": "文本切片内容",
          "resourceType": 10,
          "title": "文件标题",
          "company": "公司",
          "industry": "行业",
          "time": 1746506803000,
          "sourceId": "溯源id",
          "knowledgeName": "知识库名称",
          "extraInfo": {
            "position": {
              "page": [1],
              "totalPages": 14,
              "polygon": []
            }
          }
        }
      ]
    }
  ]
}

HTTP Status Codes

状态码说明
200操作成功
429接口繁忙,请稍后再试

Usage Examples

Query single topic

python3 scripts/query_kb.py "比亚迪" --top 3

Query with specific resource types

python3 scripts/query_kb.py "新能源" --type 10,50 --top 5

Query with time range (last 30 days)

python3 scripts/query_kb.py "AI芯片" --days 30 --top 10

Raw JSON output

python3 scripts/query_kb.py "宁德时代" --json

Configuration File

Credentials are stored in config.json (created automatically by configure.py):

{
  "ACCESS_KEY": "your-access-key",
  "SECRET_KEY": "your-secret-key",
  "BASE_URL": "https://open.gangtise.com"
}

Note: The configuration file has restricted permissions (600) to protect your credentials.

Comments

Loading comments...