MarketSensor
v1.0.0AI 驱动的股票多因子分析——查自选、看报告、触发分析、查额度。支持美股、加密货币、A 股。
⭐ 0· 102·0 current·0 all-time
by@xmhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe an API-based market analysis assistant and the skill only requires a single API key (MARKETSENSOR_API_KEY) and calls endpoints under api.marketsensor.ai — this is proportional and expected for the declared capabilities.
Instruction Scope
SKILL.md and the included scripts only instruct use of MarketSensor API endpoints and curl; the handler hook inspects the incoming prompt (process.env.CLAUDE_USER_PROMPT) to detect stock-related requests and prints a reminder. The hook does not exfiltrate secrets or read unrelated files, but it does access the runtime prompt (not declared in requires.env) — expected for a prompt-triggered hook but worth noting.
Install Mechanism
No install spec; files are instruction/scripts/hooks shipped with the skill. There are no downloads from untrusted URLs or archive extraction. Scripts are simple shell/curl commands and a small Node hook — no high-risk install behavior observed.
Credentials
The only required environment variable is MARKETSENSOR_API_KEY (declared as primaryEnv) which is exactly what's needed to authenticate to the MarketSensor API. The hook reads CLAUDE_USER_PROMPT (platform-provided), which is not a secret credential; no other secret env vars or unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and can be invoked by the user; it does include a prompt hook (UserPromptSubmit) that triggers a reminder when stock-related keywords appear, but it does not modify other skills or system settings and does not request permanent elevated privileges.
Assessment
This skill appears to do what it says: use your MarketSensor API key to call api.marketsensor.ai for watchlist, analysis, report, and quota operations. Before installing: (1) Verify the MarketSensor service and domain (https://www.marketsensor.ai) are legitimate and you trust the provider; (2) Use an API key with appropriate scope/limits (do not reuse high-privilege keys); (3) Be aware the skill includes a hook that inspects your submitted prompt (CLAUDE_USER_PROMPT) to decide when to remind the agent to call the API — this reads user input (not secrets) but may run whenever prompts mention stock terms; (4) If you have privacy concerns, review what user prompts the platform exposes to hooks and avoid placing sensitive data in prompts; (5) If you need extra assurance, test with a limited/throwaway API key and confirm behavior (rate limits, responses) before using production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk978tf91gye9yt5af9g8qrsqe583w9bb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux · Windows
EnvMARKETSENSOR_API_KEY
Primary envMARKETSENSOR_API_KEY