Mystock
v1.1.6MyStock - 我的股票智能助手。Use when user asks about stock quotes, market analysis, limit-up tracking, shareholder dynamics, investment research, or portfolio managem...
⭐ 0· 119·0 current·0 all-time
by@wangz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (stock quotes, limit-up analysis, shareholder dynamics, portfolio UI) matches the code and files: FastAPI backend, Vue front-end, pywencai usage, local JSON/SQLite data and an AI chat bridge. The presence of optional AI provider env vars (AI_PROVIDER, AI_API_KEY) is consistent with the AI chat capability described.
Instruction Scope
SKILL.md instructs running scripts/install.sh and start.sh to install dependencies, set NODE_PATH, and start backend + frontend. The runtime instructions call local APIs and external data sources (qt.gtimg.cn, pywencai) which is expected. There are no instructions to read unrelated system secrets or arbitrarily exfiltrate local files; however the skill will forward user messages and optional history to configured external AI providers if you set AI_API_KEY.
Install Mechanism
There is no registry-level install spec but the repo includes scripts/install.sh and start.sh that the README and SKILL.md recommend running. The docs instruct installing Node.js and globally installing jsdom (npm -g jsdom), and pip installing backend requirements. Global npm installs and install scripts can modify system state and require elevated privileges; you should review scripts/install.sh and start.sh before running. The presence of install scripts increases risk compared with pure instruction-only skills.
Credentials
Registry metadata lists no required env vars; the code treats AI_PROVIDER and AI_API_KEY as optional (defaults to rule-based 'silence' provider). Requesting an AI API key is proportionate to the described AI chat feature. No other unrelated credentials are requested. Be aware that any API key you supply will be sent to the chosen provider via network calls, and chat history/messages may be transmitted.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It runs a local server and web UI when started; these are confined to the host where you run the scripts. No evidence of attempts to persist beyond the project files or to change system-wide agent settings.
Assessment
This repo is internally consistent with its stated purpose (local stock web UI + AI assistant). Before installing or running anything: 1) Manually inspect scripts/install.sh and start.sh (they run installers and may perform global npm installs); don't run unknown install scripts with sudo without review. 2) If you provide an AI API key (AI_API_KEY), understand the skill will send user messages and history to that provider — only use keys for providers you trust or run with AI_PROVIDER=silence to avoid external calls. 3) Run the app in a sandbox/container or on a throwaway VM if you want extra safety. 4) Review network endpoints used (qt.gtimg.cn, pywencai, and configured AI providers) and the scripts that may download resources. 5) If you need higher assurance, request the full contents of scripts/install.sh/start.sh and any code that the install script fetches so you can review or audit them before execution.Like a lobster shell, security has layers — review code before you run it.
latestvk970cmwwtyadhseypp18rz95vd83vc4v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.