by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions mostly match a market-data reporter, but it contacts an unknown remote service, executes curl as a fallback, and references an undeclared/misspelled API env var — these discrepancies merit caution before installing.
评估建议
This skill appears to do what it says (fetch market quotes and news) but exercise caution: 1) Inspect the full scripts before running — the file will make outbound HTTP requests and may call the local curl binary. 2) Verify and trust the configured serviceUrl (quotedance.api.gapgap.cc) — it will receive requests as a fallback. 3) Note the likely typo in the env var name (QUTEDANCE_API_KEY); if you set an API key, confirm the variable name used by the script. 4) Run the skill first in a restricte...详细分析 ▾
ℹ 用途与能力
Name/description (market reports) align with the code: the script fetches quotes, news, and generates reports. However the configured serviceUrl (https://quotedance.api.gapgap.cc) is an opaque third‑party domain not documented in the SKILL metadata/homepage; the skill will send symbol lists/requests to that endpoint as a fallback — verify you trust that host.
✓ 指令范围
SKILL.md instructs the agent and user to run the included Node script and documents data sources. The script only reads its own config and writes snapshots to its memory/ directory; it does perform broad network requests to many public news and quote endpoints (Yahoo, Bloomberg feeds, Reuters, Stooq, quotedance-service). No instructions ask it to read unrelated system files or secrets.
ℹ 安装机制
There is no install spec (instruction-only installer), so nothing is fetched at install time. The runtime script can exec a local curl binary as a fallback (execFileSync('curl')), which will run system binaries when active — this is expected for network fallback but increases runtime risk if you run it on a host you care about.
⚠ 凭证需求
The skill declares no required env vars, yet the script reads standard proxy envs (HTTP(S)_PROXY / ALL_PROXY) and an API key env var spelled process.env.QUTEDANCE_API_KEY (note the apparent misspelling 'QUTEDANCE' vs 'QUOTEDANCE'). The script will send requests (including symbol lists) to quotedance.api.gapgap.cc; although an API key is optional, sending data to that unknown host without explicit user consent is a privacy/identification risk.
✓ 持久化与权限
always:false and no special privileges. The script writes its own memory snapshots and cache under skills/quotedance-market/memory. It does not request system-wide config changes or modify other skills. Autonomous agent invocation is allowed by platform defaults (normal).
⚠ scripts/market-scan.js:154
Shell command execution detected (child_process).
⚠ scripts/market-scan.js:28
Environment variable access combined with network send.
⚠ scripts/market-scan.js:418
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/19
quotedance-market 1.0.0 - 专业全球市场投研情报官上线: - 支持整合美股、A股、期货主流市场行情,实时获取多数据源(Yahoo Finance, quotedance-service)。 - 日报/周报自动切换输出,涵盖市场数据、主题、机会与风险提示。 - 资讯聚合自 Bloomberg、Reuters、华尔街见闻等优质源,按优先级获取。 - 配置灵活(行情关注列表、资讯数量、代理网络、自选股等)。 - 专业可读的市场报告结构,支持表格与 Emoji、风险分级、节点标记等增强展示。 - 提供命令行脚本与智能触发词,易于集成与自动化运行。
● 可疑
安装命令 点击复制
官方npx clawhub@latest install quotedance-market
镜像加速npx clawhub@latest install quotedance-market --registry https://cn.clawhub-mirror.com
技能文档
专业的全球市场投研日报技能,提供结构化、有思考维度的市场分析。
🎯 核心能力
数据源融合
- 美股行情:Yahoo Finance(道指、纳指、标普500及重点个股)
- A股行情:quotedance-service(主要指数、自选股)
- 期货行情:quotedance-service(黄金、原油、螺纹钢、豆粕等)
- A股板块榜:quotedance-service(涨跌幅Top N)
- 专业资讯:Bloomberg、Reuters、华尔街见闻、金十数据(最优质最实时)
智能输出风格
- 交易日日报:市场数据 + 热点主题 + 投资机会 + 风险提醒
- 周末休整日:本周回顾 + 下周前瞻 + 风险雷达 + 思考题
- 自动切换:根据日期自动选择日报或周末版本
⚙️ 配置文件
skills/quotedance-market/config.json
{
"serviceUrl": "https://quotedance.api.gapgap.cc",
"apiKey": "",
"watchlist": {
"us": ["^DJI", "^IXIC", "^GSPC", "AAPL", "NVDA", "TSLA"],
"cn": ["000001", "399001", "399006"],
"futures": ["M2605", "RB2605", "AU0", "SC0"]
},
"defaults": {
"plateTopCount": 10,
"opportunityCount": 5,
"newsCount": 10
},
"network": {
"useProxy": true,
"proxyUrl": "",
"timeoutMs": 25000,
"requestRetries": 2,
"enableCurlFallback": true
}
}
📋 报告结构
交易日版本
📈 市场情报日报 | 日期
├── 全球市场状态
│ ├── 美股/港股/A股
│ └── 期货(黄金、原油)
├── 今日热点主题
│ ├── AI & 科技
│ ├── 宏观政策
│ └── 地缘风险
├── 投资机会(3-5个)
├── 风险提醒
└── 操作策略建议
周末版本
📈 市场情报日报 | 日期
├── 周期: 周末休整日
├── 全球市场状态
├── 本周回顾
├── 🔥 本周热点主题
├── 📅 下周关键节点(日历表)
├── ⚠️ 风险雷达(高/中风险)
├── 💭 周末思考题
├── 📝 操作策略建议
└── 🎉 今日小彩蛋
🚀 使用方式
命令行执行
cd ~/.openclaw/workspace-quotedance# 默认生成今日市场情报
node skills/quotedance-market/scripts/market-scan.js
# 强制刷新数据
node skills/quotedance-market/scripts/market-scan.js --refresh
# 输出网络诊断信息(代理、重试、超时配置)
node skills/quotedance-market/scripts/market-scan.js --net-debug
Agent 触发条件
当用户说以下内容时,自动调用本技能:
- "市场日报"、"市场情报"
- "今日市场"、"市场简报"
- "生成市场报告"
- "整理市场信息"
- "早报"、"晚报"
📊 数据获取逻辑
1. 行情数据
- 美股:Yahoo Finance API
- A股/期货:quotedance-service API
- 板块榜:
/quotes/plate-top-info
2. 资讯数据
优先级排序(最优质最实时):
- Bloomberg - 全球金融快讯
- Reuters - 国际新闻
- 华尔街见闻 - 中文专业财经
- 金十数据 - 实时快讯
- CoinDesk - 加密货币专业
- The Block - Web3深度
不再使用: 用户订阅源(RSS聚合)
💡 输出特点
专业性
- 数据来源明确标注
- 风险分级(高/中/低)
- 节点重要性标记(⭐ 数量)
前瞻性
- 下周关键事件日历
- 风险雷达提前预警
- 周末思考题引导复盘
可读性
- 表格化数据展示
- Emoji图示增强识别
- 分段清晰,重点突出
🔧 实现细节
目录结构
skills/quotedance-market/
├── SKILL.md # 本文件
├── config.json # 配置
├── scripts/
│ └── market-scan.js # 主脚本
└── memory/
├── market-YYYY-MM-DD.json # 历史快照
└── source-cache.json # 资讯源缓存
核心函数
fetchUsMarkets()- 美股行情(Yahoo)fetchQuotedanceQuotes()- A股/期货(quotedance)fetchPlateLeaders()- 板块榜fetchProfessionalNews()- 专业资讯源generateWeekdayReport()- 交易日报告generateWeekendReport()- 周末报告analyzeOpportunities()- 识别投资机会
⚠️ 注意事项
- Yahoo Finance 在中国大陆被墙,可能获取失败
- 资讯源可能超时或限制,脚本会降级处理
- 周末版本更注重前瞻性,交易日版本更注重实时性
- 所有数据仅供参考,不构成投资建议
维护者: Alpha (quotedance agent) 最后更新: 2026-03-14
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制