ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

qutedance-quotes

提供 A股、港股、期货实时行情查询,股票/期货搜索及A股板块热门涨跌榜信息。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 19 · 0 current installs · 0 all-time installs
by@yoocky
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the JS implementation all align: the skill queries quotedance-service endpoints for quotes, plate/top info and search. It does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md instructs the agent and users to call the listed quotedance endpoints and to run the included Node script; it does not ask the agent to read unrelated files. However the docs explicitly advise writing the API key directly into the skill's config.json (repo file), which expands the data surface and is insecure.
Install Mechanism
No install specification or download steps; this is an instruction+script skill with no external installers. The script runs normal HTTP calls and filesystem reads; nothing is written to disk by an installer.
!
Credentials
No required env vars are declared, but the code will read process.env.QUTEDANCE_API_KEY as a fallback and the SKILL.md encourages putting the API key in config.json. Storing secrets in a repository file is disproportionate and risky. The configured serviceUrl (https://quotedance.api.gapgap.cc) is an external endpoint — expected for this skill but you should verify you trust that host.
Persistence & Privilege
Skill does not request always:true, does not modify other skill or system configs, and runs only when invoked. Autonomous invocation is enabled by default (disable-model-invocation=false), which is platform-normal; combine that with the credential concerns if you allow autonomous runs.
What to consider before installing
This skill appears to do what it claims (fetch market quotes) but it recommends storing your API key inside the shipped config.json and points to an external service URL. Before installing: 1) Verify and trust the service host (https://quotedance.api.gapgap.cc) or host your own quotedance-service. 2) Do NOT store secrets in the repo config.json—use an environment variable (QUTEDANCE_API_KEY) or a secure secret store. 3) If you allow autonomous agent invocation, be cautious because the skill will send queries (and any provided API key) to that external endpoint. 4) Optionally review the script locally to confirm no extra endpoints or unexpected behavior, and consider removing or leaving the apiKey blank in config.json before adding the skill.
scripts/qutedance-quotes.js:27
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974ra26e7y7bc2mtqp423c99h837vrm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Qutedance Quotes - 行情查询技能

简介

基于 Qutedance 的 quotedance-service 行情接口,提供:

  • A 股 / 港股 / 期货 实时行情查询
  • A 股板块热门涨跌信息(涨跌幅榜单)
  • 股票/期货等标的搜索(支持按名称/代码模糊搜索)

适配你的 qutedance 工作区,用于在对话中快速查看关键标的和板块表现。

配置

  • 行情服务(quotedance-service):
    • 当前已直接指向你的线上实例:
      • serviceUrl: "https://quotedance.api.gapgap.cc"
  • Qutedance API Key:
    • 为了简单易学,直接写在配置文件中
      • apiKey: ""
    • 如需更安全的方式,可以以后再改成环境变量。

配置文件:skills/qutedance-quotes/config.json

{
  "serviceUrl": "https://quotedance.api.gapgap.cc",
  "apiKey": "",
  "defaults": {
    "type": "cn",
    "topPlatesCount": 10
  }
}

能力

1️⃣ A 股 / 期货 / 港股 行情查询

  • A 股:type=cn
  • 港股:type=hk
  • 期货:type=futures(默认)

脚本会调用:

  • GET /quotes/?list=CODE1,CODE2&type=cn|hk|futures

输出内容包括:

  • 代码、名称
  • 最新价
  • 涨跌幅(相对昨收价或结算价)
  • 最高价 / 最低价
  • 买一 / 卖一

2️⃣ A 股板块热门涨跌榜

  • 接口:GET /quotes/plate-top-info?count=N
  • 展示:
    • 板块名称、平均涨跌幅(core_avg_pcp)
    • 领涨股票(symbol, name, 涨跌幅、价格变动)
    • 领跌股票(同上)

3️⃣ 标的搜索(股票 / 期货等)

  • 接口:GET /quotes/search
  • 支持参数:
    • q: 搜索关键词(如“平安”)
    • type: 市场类型(cn / hk / futures / us / all 等)
    • limit: 返回数量上限(默认 20)
  • 输出:
    • 代码、名称、市场、交易所

在对话中如何使用

当用户说到:

  • “看下 A 股 000001、600000 的行情”
  • “查一下 M2605 和 RB2605 的期货报价”
  • “看看今天 A 股涨跌幅榜、热门板块”
  • “搜一下平安相关的 A 股有哪些”

Agent 应该:

  1. 选用本技能 qutedance-quotes
  2. 根据语义决定调用模式:
    • 指定代码 → 调用 /quotes/ 行情查询
    • 想看涨跌榜/热门板块 → 调用 /quotes/plate-top-info
  3. 将脚本输出的 Markdown 表格/列表直接呈现给用户,必要时附加解释。

手动脚本用法

workspace-quotedance 目录运行:

cd ~/.openclaw/workspace-quotedance

# A 股行情
node skills/qutedance-quotes/scripts/qutedance-quotes.js --type cn --list 000001,600000

# 期货行情
node skills/qutedance-quotes/scripts/qutedance-quotes.js --type futures --list M2605,RB2605

# A 股板块涨跌幅榜(前 10 个)
node skills/qutedance-quotes/scripts/qutedance-quotes.js --plates 10

# 搜索标的(按名称模糊搜索)
node skills/qutedance-quotes/scripts/qutedance-quotes.js --search --q 平安 --type cn --limit 10

实现细节

目录结构:

skills/qutedance-quotes/
├── SKILL.md
├── config.json
└── scripts/
    └── qutedance-quotes.js

脚本行为概要:

  • SERVICE_URLQUTEDANCE_API_KEY 读取 quotedance-service 访问配置
  • getQuotes(list, type)
    • 调用 /quotes/ 接口
    • 将结果格式化为 Markdown 表格
  • getPlateTopInfo(count)
    • 调用 /quotes/plate-top-info
    • 生成板块及其领涨/领跌股的列表说明

注意事项

  • 请确保 quotedance-service 正常运行(或云端实例可访问)
  • API Key 应通过环境变量配置,而不是写死在仓库文件中
  • 行情数据仅供参考,不构成任何投资建议

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…