FP-DCF
v0.5.0Estimate intrinsic value with a first-principles DCF from structured JSON or provider-backed ticker input, and return auditable FCFF, WACC, and per-share val...
⭐ 1· 143·0 current·0 all-time
bytiejiang@tiejiang8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (first-principles DCF) match the repository contents and runtime contract. The package contains a Python CLI, data provider modules (yahoo, akshare_baostock), and examples; requiring python3/python is appropriate and proportional.
Instruction Scope
SKILL.md gives concrete, limited runtime instructions: build a JSON payload, run the provided runner (scripts/run_dcf.py or python -m fp_dcf.cli), and read JSON/artifact outputs. It does not instruct reading unrelated host files, environment secrets, or sending outputs to unexpected external endpoints. The only notable non-functional text is a repository workflow note (commit-to-branch guidance) that is unrelated to runtime execution but not harmful.
Install Mechanism
No install spec in the registry (instruction-only), and the SKILL.md documents normal pip installation and runtime dependencies (akshare, baostock, numpy, pandas, yfinance, matplotlib). There are shipped code files (so the skill is executable), but no download-from-arbitrary-URL or extract-from-unknown-host behavior in metadata — low install risk. Users should still install dependencies from official package indexes.
Credentials
The skill does not request environment variables, credentials, or config paths. It uses network-backed data providers (Yahoo, AkShare/BaoStock) which may perform HTTP requests; that network access is expected for the stated purpose. No disproportionate secret access is requested.
Persistence & Privilege
Skill flags are standard: always=false, user-invocable=true, and it does not request persistent platform-level privileges. It can create local cache files (SKILL.md documents a cache_dir option), which is appropriate for provider caching.
Scan Findings in Context
[base64-block] expected: Base64 blocks were detected in example SVG/PNG artifacts (embedded image data). This is expected because the repository includes auto-rendered chart images embedded inline in example SVG/PNG files.
Assessment
This is a Python-based DCF engine that matches its description. Before installing or running: (1) ensure a controlled environment (virtualenv/container) and that python3 is available; (2) install dependencies from trusted package repositories (pip install . or pip install the listed libs) and review dependency versions; (3) be aware the provider modules will make network requests to Yahoo and (for CN market fallback) AkShare/BaoStock — no credentials are required, but network access and a local cache directory are used; (4) the tool writes JSON output and chart files (SVG/PNG) to the workspace or specified output paths and may create a provider cache; (5) if you need higher assurance, inspect provider code (fp_dcf/providers/*.py) for any unusual network endpoints or behavior and run first in a sandbox. The repository workflow guidance in SKILL.md (commit directly to branch) is non-runtime text and not relevant to execution, but it’s unusual to find such contributor instructions in an execution README.Like a lobster shell, security has layers — review code before you run it.
latestvk977017s71hzgvarra5h80v1r984nkkj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📉 Clawdis
Any binpython3, python