Noah Stock Market
v1.2.10用于港股和美股市场数据查询与结构化行情摘要。当用户询问股票当前价格、最新行情、市场快照、分时走势、K线、盘口摆盘、逐笔成交、经纪队列、市场是否开盘、个股资金流向、板块与板块成分股、股票基础信息、期权到期日或期权链等场景时使用。适用于 HK-00700、US-AAPL 这类标准代码,也适用于用户直接输入股票名称或简...
⭐ 0· 162·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires an internal API key (NOAH_MARKET_APIKEY) and a base URL (NOAH_API_BASE_URL) to function and documents many endpoints (including wealth/balance endpoints). However the registry metadata lists no required environment variables or primary credential. Also the skill claims only read-only market data but advertises 'wealth' queries (balance, total asset, cash assets) which may imply access to user/account-specific data — the documentation does not explain what credentials are needed for those endpoints or why they are safe to include in a public skill package.
Instruction Scope
Runtime instructions are focused on read-only queries and emphasize not exposing tokens to end users; they instruct using local secrets and calling provided scripts (scripts/run_query.py, route_query.py). This stays within the stated market-data purpose. However instructions reference reading a secrets file and multiple reference docs; developer-mode allows exposing internal URLs and parameters, so misuse or incorrect mode selection could leak internal endpoints or tokens. There are also small inconsistencies in recommended secret paths across docs (e.g., ~/.openclaw/.secrets/noah-market.env vs <repo-or-workspace-root>/.secrets/noah-market.env).
Install Mechanism
No install spec is provided (instruction-only), which lowers supply-chain risk; however the package includes many Python scripts and OpenAPI/YAML artifacts but no declared runtime or dependency list (no required python, pip packages, or virtualenv instructions). That omission is inconsistent with the shippped code: running the scripts will require a Python runtime and likely third-party libs. This mismatch is a practical risk (user may run code assuming dependencies present) but not itself evidence of malice.
Credentials
The skill's docs repeatedly state that NOAH_MARKET_APIKEY and NOAH_API_BASE_URL are required, and warn users explicitly not to use unrelated tokens (GitHub/OpenClaw). Yet the registry metadata lists zero required env vars and no primary credential. That gap is a notable incoherence: a skill that needs a bearer API key should declare it. Also the skill advertises wealth/account endpoints (balances, total assets) but doesn't clarify whether they require additional, more-sensitive credentials—this proportionality and justification are missing.
Persistence & Privilege
The skill does not request always:true and does not declare any system config path modifications. It uses local secrets files for auth and instructs running contained scripts; it doesn't request elevated platform privileges. Autonomous invocation (disable-model-invocation: false) is normal and not by itself flagged.
What to consider before installing
Key things to consider before installing:
- The skill documentation requires an internal API key (NOAH_MARKET_APIKEY) and base URL, but the registry metadata does not declare any required environment variables — ask the maintainer to correct the manifest so the required secret is explicit. Don’t proceed until you know exactly which credential(s) are needed and why.
- The package contains many Python scripts that will be executed by the agent; there is no install/runtime dependency list. Review scripts/run_query.py and scripts/quote_client.py locally to confirm they only call the documented internal API and do not send secrets elsewhere. Run them in a controlled, offline environment first.
- The skill advertises 'wealth' queries (balances/total assets). Confirm whether those endpoints return account-specific private data and what credentials they require; avoid providing account-scoped credentials unless you trust the source and have audited the code that accesses them.
- Verify the skill source (owner ID has no homepage provided). Prefer installing only if you can access the repository to inspect code and confirm no hidden endpoints or telemetry; insist the author update the registry metadata to list NOAH_MARKET_APIKEY and NOAH_API_BASE_URL as required env vars and to provide dependency/install instructions.
- If you decide to test, use a non-production or scoped API key and run the provided smoke_test locally to validate behavior; never paste real tokens into chat or public fields.Like a lobster shell, security has layers — review code before you run it.
latest
Noah Stock Market
港股 / 美股只读市场数据 skill。通过公司内部证券 Open API 获取市场数据,并将原始结果整理成适合聊天场景阅读的结构化摘要。
Usage notice:本 skill 只提供市场数据查询与整理,不提供下单、持仓、账户或投资建议。
Installation / Usage Prerequisite
本 skill 依赖公司内部证券 Open API。通过 ClawHub / OpenClaw 安装后,用户仍需补充 market token。
推荐配置文件:
~/.openclaw/.secrets/noah-market.env
推荐最小配置:
NOAH_MARKET_APIKEY=your_common_token
NOAH_API_BASE_URL=https://securities-open-api.noahgroup.com
说明:
- 当前生产 market 域名已固定为
https://securities-open-api.noahgroup.com noah-stock-market与noah-stock-trade共用同一个通用 token- token 不内置;安装后用户需自行补充
NOAH_MARKET_APIKEY - 不要让用户额外提供与 market 查询无关的配置项
Skill Routing
当前环境已验证支持:
- 个股快照 / 最新行情
- 实时分时 / K线(含时间范围 K 线)
- 逐笔成交 / 经纪队列
- 市场状态 / 全局市场状态
- 交易日历
- 个股资金流向
- 股票基础信息
- IPO 列表 / 排行榜 / 条件选股
- 美股分析(US analysis)
- 港美股财务数据
- 股东增减持榜单
- 财富类查询:余额、总资产、现金类资产、固收资产、私募资产、银行定存详情
不支持:
- 下单 / 撤单 / 改单
- 账户 / 持仓 / 资金查询
- 任何交易写操作
- 主观投资建议或收益承诺
Preflight
- 先读取
references/auth-and-preflight.md,确认 API 配置与 token 读取方式。 - 再根据用户意图,按需读取对应 reference:
- 标的识别 / 代码标准化 →
references/symbol-resolution.md - 快照 / 最新行情 →
references/snapshot-and-quote.md - 分时 / K线 →
references/kline-and-intraday.md - 逐笔 / 经纪队列 →
references/orderbook-ticker-broker.md - 市场状态 / 交易日 →
references/market-status.md - 资金流向 →
references/capital-flow.md - 基本信息 →
references/plates-and-basicinfo.md - API 意图映射 →
references/api-mapping.md - 使用方式总览 →
references/usage-guide.md - 当前限制 →
references/known-limitations.md
- 标的识别 / 代码标准化 →
Execution Rules
-
默认只走只读接口。
-
优先使用标准代码发请求:港股
HK-00700,美股US-AAPL。 -
用户输入名称、简称或裸代码时,先做标准化,再请求接口。
-
如标的存在歧义,不要猜;先返回候选或要求用户澄清市场 / 代码。
-
默认返回结构化摘要,不直接倾倒整段原始 JSON。
-
仅当用户明确要求“明细”“完整逐笔”时,才展开更多原始字段。
-
排行榜、IPO 列表属于扩展能力;只有当用户明确问到时才使用。
-
对
wealth_total_asset与wealth_private_contract_asset_list:- 如果用户明确给出币种,则按用户指定币种查询
- 如果用户未给出币种,则默认按
USD查询
Recommended Script Entry
优先通过 scripts/run_query.py 调用已验证能力:
协议规则(重要):
-
references/openapi.yaml、references/enum.yaml、references/entity.yaml是本 skill 的协议源文件。 -
凡是 openapi 参数声明为枚举引用(
enum.yaml#/...),调用时必须从references/enum.yaml取值并校验,禁止按语义猜测枚举值。 -
若协议源缺失、解析失败或传入值不在 enum 中,应直接报错,不要构造猜测参数继续请求。
-
snapshot -
market_state -
global_state -
intraday -
ticker -
broker_queue -
kline -
capital_flow -
basicinfo -
trading_days -
us_analysis -
rank -
ipo_list -
financial_hk -
financial_us -
shareholder_inc_red_hold -
shareholder_inc_red_hold_by_ucode -
wealth_balance_list -
wealth_cash_total_asset -
wealth_fixed_income -
wealth_private_contract_asset_list -
wealth_total_asset
示例:
python3 scripts/run_query.py snapshot HK-00700
python3 scripts/run_query.py market_state HK-00700
python3 scripts/run_query.py global_state HK-00700
python3 scripts/run_query.py intraday HK-00700
python3 scripts/run_query.py ticker HK-00700 num=10
python3 scripts/run_query.py broker_queue HK-00700
python3 scripts/run_query.py kline HK-00700 num=10 ktype=K_DAY
python3 scripts/run_query.py kline HK-00700 from=20260401000000000 to=20260413235959999 ktype=K_DAY autype=NONE
python3 scripts/run_query.py capital_flow HK-00700 num=5
python3 scripts/run_query.py basicinfo HK-00700
python3 scripts/run_query.py trading_days HK-00700 start=20260401 end=20260430
python3 scripts/run_query.py us_analysis US-AAPL
python3 scripts/run_query.py rank HK market_codes=HK rank_field=raisePercent page=1 page_size=10
python3 scripts/run_query.py ipo_list HK market=HK
python3 scripts/run_query.py financial_hk HK-00700 type_code=DT4 year=2024
python3 scripts/run_query.py financial_us US-AAPL type_code=DT4 year=2024
python3 scripts/run_query.py shareholder_inc_red_hold HK market=HK shareholder=EVENT_DATE order_code=DESCEND page=1 page_size=10
python3 scripts/run_query.py shareholder_inc_red_hold_by_ucode HK-00700 shareholder=EVENT_DATE order_code=DESCEND page=1 page_size=10
python3 scripts/run_query.py wealth_balance_list HK
python3 scripts/run_query.py wealth_cash_total_asset HK
python3 scripts/run_query.py wealth_fixed_income HK productTypeList=NOTE,DEPOSIT_COM toCcy=HKD showTotalAsset=true
python3 scripts/run_query.py wealth_private_contract_asset_list HK toCurrency=HKD queryType=ALL positionStatus=HOLDING isPaging=true
python3 scripts/run_query.py wealth_total_asset HK toCurrency=HKD
如果脚本返回 ok=false,先直接向用户说明失败原因,不要编造数据。
如果用户没有指定 K 线周期与数量,kline 默认使用 num=5、ktype=K_DAY、autype=NONE。
如果用户直接用自然语言提问,可优先尝试 scripts/route_query.py 做第一轮意图识别,再落到 scripts/run_query.py。
当前 route_query.py 已支持基础的 K 线周期识别(如日K、周K、月K、5分钟K)与数量识别(如“最近10根”)。
Output Style
默认输出顺序:
- 一句话结论
- 关键数据
- 补充观察
- 数据时间 / 状态说明
要求:
- 把枚举值翻译成人话,不直接输出原始枚举代码。
- 对港股 / 美股盘前盘后状态做明确说明。
- 对停牌、退市、无权限订阅、空数据等情况直接说明原因。
- 保持客观,不给买卖建议。
Response Mode Rule
开发模式
当用户在开发、调试、设计或排查这个 skill 时,可以说明:
- 使用了哪个接口
- 请求参数
- 返回结构
- 当前实现逻辑与已知问题
股票帮手模式
当 skill 面向最终用户实际使用时:
-
只回答用户需求与结果
-
只展示清晰、简洁、业务化的数据结果
-
不暴露接口 URL、路径、token、脚本名、内部实现逻辑
-
不把开发调试信息带给最终用户
-
如果用户询问“
noah-stock-market有什么功能”“你支持什么功能”“这个 skill 能做什么”等能力范围问题,优先用下面这套标准口径回答:noah-stock-market目前支持港股和美股的只读市场数据查询,主要包括:- 个股快照 / 最新行情
- 分时走势 / K线
- 逐笔成交 / 经纪队列
- 市场状态 / 全局市场状态
- 交易日历
- 个股资金流向
- 股票基础信息
- IPO 列表 / 排行榜
- 美股分析
- 港美股财务数据
- 股东增减持信息
- 财富类查询(余额、总资产、固收、私募、现金、银行定存详情)
你可以直接用自然语言提问,比如:
- 看一下腾讯现在的股价
- 看腾讯最近 10 根日 K
- 查一下腾讯资金流向
- 现在港股开盘了吗
- 看港股涨跌幅排行榜
- 查一下苹果的美股分析
- 看一下腾讯的财务数据
- 查一下腾讯最近的股东增减持
一句话概括就是:
noah-stock-market已经覆盖港股 / 美股常用行情查询、结构化分析,以及财务和股东增减持这两类扩展数据能力。
Notes
- 市场代码当前一期只重点支持港股和美股。
- 港股标准代码格式:
HK-00700 - 美股标准代码格式:
US-AAPL - token 与 base URL 不写入 skill 正文,从本地 secrets 配置读取。
Comments
Loading comments...