ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Data Monorepo

v1.2.5

A 股数据查询技能集合,包含 4 个子技能:cn-stock-volume(成交量)、stock-top-gainers(涨幅排名)、ths-stock-themes(题材概念)、stock-theme-events(题材事件)。 **触发场景**: - 作为 stock-daily-report 的数据源依赖...

0· 51·0 current·0 all-time
by@shinelp100

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shinelp100/stock-data-monorepo.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Stock Data Monorepo" (shinelp100/stock-data-monorepo) from ClawHub.
Skill page: https://clawhub.ai/shinelp100/stock-data-monorepo
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stock-data-monorepo

ClawHub CLI

Package manager switcher

npx clawhub@latest install stock-data-monorepo
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: the repo contains four stock-related sub-skills (index numbers, top gainers, themes, theme-events). Declared Python/browser requirements and pip packages (akshare, sentence-transformers, scikit-learn) align with scraping and NLP/clustering tasks in the files (e.g., cluster_themes.py, fetch_themes.py). Minor inconsistency: top-level registries reported 'no install spec', but SKILL.md contains an 'install' metadata block listing pip packages — the user should ensure dependencies will actually be installed or installed manually.
!
Instruction Scope
Runtime instructions and scripts instruct the agent/user to run Python scripts and to use a 'browser' tool. Several scripts (browser_fetch.py, fetch_data.py) run subprocesses that invoke the OpenClaw CLI (openclaw browser / web-fetch) and even try alternative execution paths (npx, node). fetch_data.py also attempts to read a hardcoded cache file path belonging to another skill (.jvs/.openclaw/workspace/skills/fetch-index-data/cache/2026-03-20.json). The scripts write outputs to user Desktop and workspace. These instructions extend beyond simple HTTP requests (they attempt to call platform tooling and access other skills' files), so review is advised.
Install Mechanism
Registry metadata says 'no install spec' but SKILL.md includes an 'install' array listing pip packages (akshare, sentence-transformers, scikit-learn). The package list is reasonable for the claimed functionality. No remote download/install from arbitrary URLs was observed. Because the repository is code-heavy (many Python scripts), the practical install step is likely 'pip install' + running scripts — confirm how your agent/host will install those pip deps.
!
Credentials
The skill declares no required environment variables or credentials, which matches the description. However, scripts access filesystem locations (Path.home(), ~/.jvs/.openclaw/workspace, user Desktop, and a 'manual' directory) and attempt to read another skill's cache file. Reading other skill directories is unexpected for a single-purpose data fetcher and could expose or reuse unrelated data. The skill also spawns subprocesses that rely on a platform CLI (openclaw/npx/node) and manipulates PATH when invoking them — this increases the runtime environment surface and should be checked.
Persistence & Privilege
The skill does not request 'always: true', does not declare privileged persistent presence, nor does it modify other skills' configurations. It writes output files to standard user paths (workspace, Desktop) and creates 'manual/' files — expected for a reporting tool. There is some cross-skill access (reading a specific cache file) but no evidence the skill auto-enables itself or claims elevated platform privileges.
What to consider before installing
What to check before installing or running this skill: - Review and run the scripts in a sandboxed environment (not on a production host). The code uses subprocess to call 'openclaw', 'npx', and 'node' — confirm those binaries exist and are trustworthy in your environment. - Inspect any subprocess invocations that interpolate strings (the code uses python -c and builds command strings in places). If you will pass untrusted input to the scripts, this can be a command-injection risk. - Note the scripts read/write files under your home directory (workspace, ~/.jvs/.openclaw, ~/Desktop, manual/). If you are uncomfortable with that, run from a separate user or container and change output paths. - The code attempts to read another skill's cache at a hardcoded path; verify you are okay with cross-skill file reads and that no sensitive data exists at that path. - Dependencies: SKILL.md lists pip packages (akshare, sentence-transformers, scikit-learn). Ensure you install them in an isolated virtualenv to avoid dependency conflicts. - If you plan to allow autonomous agent invocation, be cautious: the scripts try to call platform tooling to access a 'browser' tool. If the platform CLI were compromised, this skill could trigger broader actions — consider keeping autonomous invocation disabled until you vet the toolchain. If you want, I can highlight exact lines of concern (subprocess calls, hardcoded cache paths, file-write locations) so you or a developer can inspect them before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk972thse3036ecjfnzh8s7gqdx856x67
51downloads
0stars
3versions
Updated 1w ago
v1.2.5
MIT-0
@shinelp100
latest
Download

Stock Data Monorepo - A 股数据查询技能集合

统一的 A 股数据查询技能集合,包含 4 个相关技能。

📦 包含的技能

技能名称功能版本
cn-stock-volume获取四市(沪市/深市/创业板/北交所)成交金额、放缩量、涨跌家数v1.2.2
stock-top-gainers获取近 10 日个股涨幅排名(前 20 只,排除 ST)v1.0.0
ths-stock-themes获取同花顺个股题材/概念板块和人气排名数据v1.0.0
stock-theme-events获取 A 股市场炒作题材对应的真实新闻事件v1.0.3

🚀 使用方式

本 Monorepo 是一个技能集合,建议在 stock-daily-report 等上层技能中通过调用各子技能的脚本使用:

# 设置路径变量(推荐)
STOCK_DATA_PATH=~/.hermes/skills/stock-data-monorepo

# 查询四市成交量
python3 $STOCK_DATA_PATH/cn-stock-volume/scripts/fetch_data.py

# 获取近 10 日涨幅排名
python3 $STOCK_DATA_PATH/stock-top-gainers/scripts/fetch_gainers.py

# 查询股票题材
python3 $STOCK_DATA_PATH/ths-stock-themes/scripts/fetch_themes.py [股票代码]

# 生成题材事件报告
python3 $STOCK_DATA_PATH/stock-theme-events/scripts/generate_report.py

📊 技能依赖关系

stock-daily-report (上层应用)
    ├── cn-stock-volume ⭐ (必需 - 指数数据)
    ├── stock-top-gainers ⭐ (必需 - 涨幅排名)
    ├── ths-stock-themes ⭐ (必需 - 题材数据)
    └── stock-theme-events (可选 - 深度分析)

目录结构

stock-data-monorepo/
├── SKILL.md                    # 本文件
├── cn-stock-volume/           # 成交量数据
│   ├── SKILL.md
│   └── scripts/
│       └── fetch_data.py
├── stock-top-gainers/         # 涨幅排名
│   ├── SKILL.md
│   └── scripts/
├── ths-stock-themes/          # 题材概念
│   ├── SKILL.md
│   └── scripts/
└── stock-theme-events/        # 题材事件
    ├── SKILL.md
    └── scripts/

⚠️ 注意事项

  1. 数据时效性:所有数据均为实时或 T+1 数据,建议在报告中注明数据获取时间
  2. ST 股票:涨幅排名自动排除 ST 股票,其他技能需手动过滤
  3. 依赖安装 
    pip install akshare sentence-transformers scikit-learn
  4. browser 工具:部分技能需要 browser 工具访问网页获取数据

📝 更新日志

v1.2.3 (2026-04-16)

  • 添加 YAML frontmatter 元数据
  • 修正硬编码路径为可配置路径

v1.2.2 (2026-03-21)

  • cn-stock-volume: 修复非交易日数据处理逻辑,自动使用最近交易日数据
  • stock-top-gainers: 新增完整脚本(browser_fetch.py, fetch_gainers.py, parse_snapshot.py)
  • stock-theme-events: 新增 run_full_analysis.py 完整分析脚本

v1.2.1 (2026-03-21)

  • Monorepo 合并,统一目录结构

Comments

Loading comments...