StockBuddy
v1.0.8Multi-market stock analysis and portfolio execution assistant for CN, HK, and US equities. Provides technical + basic valuation analysis, portfolio review, a...
⭐ 1· 113·0 current·0 all-time
byTacit Lab@tacitlab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (multi-market analysis + portfolio execution) matches the included scripts: analyze_stock.py (data fetch + analysis), portfolio_manager.py (positions/accounts/rules), and db.py (SQLite persistence). The declared data sources (Tencent, Yahoo, EastMoney, SEC) align with code network calls.
Instruction Scope
SKILL.md instructs running the bundled scripts and to persist durable facts while computing live metrics at runtime. The code implements caching and stores watchlist/portfolio/kline data in ~/.stockbuddy/stockbuddy.db (including a last_price column). The README rule 'Do not write latest price, position weight, or unrealized P&L back into durable storage' appears in tension with code paths (portfolio_manager.ensure_watch_item / upsert_watchlist_item) that populate last_price/quote_time. This is an implementation vs documentation inconsistency rather than clear malicious behavior, but it affects expectations about what data is persisted.
Install Mechanism
There is no package manager install spec (lowest risk), but a bundled install_deps.sh will attempt pip3 installs (including --break-system-packages and --user fallbacks). Running that script will modify the Python environment if invoked; it's optional per SKILL.md (only run if dependencies missing) but you should review/execute it in a controlled environment (virtualenv/container) to avoid altering system Python packages.
Credentials
The skill does not request environment variables, external credentials, or secrets. All external interactions are with public finance data providers described in the docs. No unrelated service keys or system credentials are requested.
Persistence & Privilege
The skill persists data to an on-disk SQLite DB at ~/.stockbuddy/stockbuddy.db (watchlist, positions, kline, caches). This is expected for a portfolio tool but is persistent on the user's home directory. always is false and the skill does not request elevated OS privileges. If you prefer not to persist data globally, run in an isolated user or containerized environment or review/modify DB_PATH in db.py.
Assessment
What to consider before installing: 1) Persistence: the tool stores portfolio, watchlist, K-line and cached analysis in ~/.stockbuddy/stockbuddy.db — review and backup or run it in an isolated environment if you don't want persistent files in your home directory. 2) Network access: the scripts fetch data from public finance endpoints (Tencent, EastMoney, Yahoo, SEC). If you require offline or audited endpoints, inspect the data-fetch code before use. 3) Dependency installation: install_deps.sh may modify your Python environment (uses pip and --break-system-packages); prefer using a virtualenv or container. 4) Documentation mismatch: SKILL.md says not to persist 'latest price' etc., but code writes last_price/quote_time to the DB — if that matters for your privacy/operational model, inspect/adjust the upsert_watchlist/ensure_watch_item flow. 5) No secret keys requested: the skill does not ask for API keys or other credentials. 6) If you plan to allow autonomous agent invocation, be aware the skill can run these scripts and access the DB; consider limiting autonomy or auditing runtime interactions. If you want higher assurance, run the code locally first and review network traffic and the DB contents before granting broader use.Like a lobster shell, security has layers — review code before you run it.
financevk97bcc381se6db137ae9xqa9hh8412zylatestvk97ckn22tk3k457rbcpbdq195584b87rstocksvk97bcc381se6db137ae9xqa9hh8412zy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.