Stocki
v0.4.3AI financial analyst with institutional-grade data covering A-shares, HK stocks, US stocks, ETFs, and indices. Supports real-time quotes, sector/industry ana...
⭐ 2· 175·0 current·0 all-time
by@zhikun9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (financial analyst, real-time quotes, quant/backtesting) align with required binaries (python3), required env vars (STOCKI_GATEWAY_URL, STOCKI_API_KEY), and the included scripts which call the Stocki gateway endpoints. No unrelated credentials or unusual binaries are requested.
Instruction Scope
Runtime instructions (SKILL.md) direct the agent to run the provided CLI scripts and to set the two declared env vars. The skill creates a local workspace (~/stocki/) for preferences, portfolio (only if user consents), and quant reports; it also recommends cron schedules for periodic queries. The doctor/diagnose steps perform network checks and a remote SKILL.md fetch from GitHub. These actions are consistent with the stated purpose but give the skill discretion to perform network calls, create local files, and run scheduled tasks — users should be aware of scheduled polling and local storage of reports.
Install Mechanism
No packaged install spec in the registry (instruction-only), and INSTALL.md points to GitHub or clawhub/skillhub installs. The code bundled with the skill uses only Python stdlib and standard git/cli operations. There are no downloads from obscure URLs or use of URL shorteners.
Credentials
Only STOCKI_GATEWAY_URL and STOCKI_API_KEY are required (primaryEnv = STOCKI_API_KEY). That is proportionate for a gateway-based data service. The scripts only read those env vars and do not request other unrelated secrets or system tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. The doctor can reinstall the skill (runs clawhub/git and rm -rf on the skill directory) but checks that 'stocki' is in the skill directory name before removing; this is normal for self-update behavior. The skill will create and write to ~/stocki/ when used.
Assessment
This skill appears internally consistent with its described purpose, but consider these practical safety steps before installing:
- Only set STOCKI_API_KEY and STOCKI_GATEWAY_URL if you trust the Stocki service (https://api.stocki.com.cn). The API key grants access to your Stocki account—treat it like a password and prefer a key with limited scope if possible.
- The skill will make outbound network requests (to your configured gateway and to raw.githubusercontent.com for version checks) and will create a local workspace (~/stocki/) and downloaded reports. If you run in a sensitive environment, consider installing in a sandbox or container.
- The doctor can reinstall itself using clawhub/git and runs an rm -rf on the skill directory after a basic basename check; review the _reinstall_skill() logic if you are concerned about self-updating scripts.
- Scheduled monitoring via cron is suggested in SKILL.md—cron jobs will cause periodic outbound queries. Only enable scheduling if you want automated polling.
- If you need additional assurance, inspect the full scripts locally (already bundled) and run python3 scripts/stocki.py diagnose to verify behavior with a test API key.
Overall: coherent and expected for a gateway-backed financial analysis CLI, but exercise standard caution around API keys, automatic updates, and scheduled tasks.Like a lobster shell, security has layers — review code before you run it.
latestvk977hansva89p107fcxx1keejx83r5x7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython3
EnvSTOCKI_GATEWAY_URL, STOCKI_API_KEY
Primary envSTOCKI_API_KEY