by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally coherent for stock analysis: it uses yfinance + VectorBT, stores results in SQLite, and its scripts match the documented workflows — there are a few minor documentation/env-var gaps and an optional webhook that could send data externally which you should review before running.
评估建议
This skill appears to do what it says (collect market data, run backtests, compute conviction scores, optionally run a small ML model and persist results to SQLite). Before installing/running: 1) Decide where you want the SQLite DB and pass --db-path or set TAI_ALPHA_DB_PATH/TAI_ALPHA_OUTPUT_DIR to avoid overwriting other files. 2) Do not set a Telegram webhook (TAI_ALPHA_TELEGRAM_WEBHOOK) or other webhook until you trust/verify the destination, because cron/alerts can send data externally. 3) T...详细分析 ▾
✓ 用途与能力
Name/description match the code and docs: the package implements collection (yfinance), VectorBT backtests (RSI/MACD/BB), scoring, optional ML, and SQLite persistence. Declared Python dependencies in pyproject (numpy, pandas, yfinance, vectorbt, scikit-learn, pyyaml) are appropriate for the stated features. No unrelated cloud credentials, binaries, or surprising external services are required by default.
ℹ 指令范围
SKILL.md and the thin CLI scripts instruct the agent to run local Python scripts (collect, backtest, score, report, cron, etc.). The runtime behavior stays within the stated domain: network fetches (Yahoo via yfinance, optional CoinGecko) and writes to a local SQLite DB. One operational behavior to be aware of: the cron/hotlist path supports sending notifications to a Telegram webhook (TAI_ALPHA_TELEGRAM_WEBHOOK) — that will transmit report/watchlist data to an external endpoint if configured. This is expected for an alerts feature, but you should vet any webhook URLs before enabling them.
✓ 安装机制
No install spec in the skill manifest (instruction-only). The bundle includes full source and a pyproject.toml for a normal pip install (editable dev install) — conventional and traceable. There are no download-from-untrusted-URL installers or extract-from-remote steps in the provided files. The included scripts for publishing to ClawdHub invoke npm when run, but that is an optional, explicit authoring/publish workflow — not an automatic install step.
⚠ 凭证需求
The skill references several environment variables in docs and code (TAI_ALPHA_DB_PATH, TAI_ALPHA_OUTPUT_DIR, optional TAI_ALPHA_HOTLIST and TAI_ALPHA_TELEGRAM_WEBHOOK, and optional TAI_ALPHA_CN_SOURCE) but declares no required env vars in the registry metadata. Not declaring these makes it harder to audit what secrets or external endpoints might be used. In particular, a configured Telegram webhook would be a secret/URL that causes outbound transmission of report/watchlist data. This mismatch is an oversight (not necessarily malicious) but worth noting and reconciling before use.
ℹ 持久化与权限
The skill writes a local SQLite DB by design (default: tai_alpha_output/tai_alpha.db) and will create/modify that file when run. always:false and model-invocation defaults are set; there is no elevated or persistent platform privilege requested. Take care not to run it against a production DB path you care about (docs note this), and consider specifying a dedicated DB path when testing.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install tai-alpha-stock
镜像加速npx clawhub@latest install tai-alpha-stock --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Tai Alpha Stock — TAI Alpha Stock 安装说明: 安装命令:["openclaw skills install tai-alpha-stock","npx clawhub@latest install tai-alpha-stock"]