Safety Report

A Stock Monitor

Name: A Stock Monitor
Rating: 3 (24 reviews)
Author: jame-mei-ltp

A股量化监控系统 - 7维度市场情绪评分、智能选股引擎（短线5策略+中长线7策略）、实时价格监控、涨跌幅排行榜。支持全市场5000+股票数据采集与分析，多指标共振评分，精确买卖点计算，动态止损止盈。每日自动推荐短线3-5只、中长线5-10只优质股票。包含Web界面、自动化Cron任务、历史数据回溯。适用于A股量化...

4,617Downloads

28Installs

24Stars

6Versions

Workflow Automation3,323

Security Analysis

medium confidence

Suspicious0.08 risk

The package mostly matches an A‑share monitoring tool, but there are noticeable inconsistencies (missing/extra dependencies, hardcoded weak passwords, and documentation mismatches) that warrant caution before installing or running it.

Feb 24, 202626 files4 concerns

Purpose & Capabilityconcern

Name/description match the included Python scripts (data fetchers, selectors, Flask web UI). However the declared package list in SKILL.md (akshare, flask, ccxt) is incomplete and contains ccxt (a crypto-exchange library) which is unrelated to an A‑share stock monitor. The code imports/uses other heavy dependencies (pandas, numpy, requests, tushare) that are not declared. This mismatch between claimed dependencies and actual imports is incoherent and could lead to unexpected installs or failures.

Instruction Scopenote

Runtime instructions are straightforward (pip install, run scripts, add cron jobs). Examples include sending alerts to external webhooks (curl to Feishu/Lark) and running cron payloads that will regularly contact external data sources. Those behaviors are expected for a monitoring tool but you should note they cause regular outbound network traffic and may expose data if misconfigured. There are also small doc inconsistencies (API.md default password 'stock2024' vs FINAL_SUMMARY listing 'admin/admin123').

Install Mechanismnote

This is instruction-only (no install spec), so no archive downloads or automatic installers — lower install risk. But the SKILL.md / INSTALL.md only instruct to pip install akshare, flask, ccxt, while the code requires additional packages (pandas, numpy, requests, tushare, etc.). This incomplete install guidance can lead users to run the skill with missing dependencies or to add unnecessary/irrelevant packages (ccxt).

Credentialsconcern

The skill requests no environment variables, which is consistent, but code references optional TUSHARE_TOKEN and the config contains a hardcoded default web PASSWORD ('stock2024'). Hardcoded weak credentials and inconsistent default credentials across documentation are a security and usability concern. No cloud credentials are requested (good), but the presence of optional Tushare integration (requires token) is not disclosed in requires.env and the metadata does not list tushare.

Persistence & Privilegeok

The skill does not request elevated platform privileges (always: false). It runs as a normal Python app and proposes cron jobs and a local Flask server. It does not modify other skills or system-wide configurations according to the provided files.

Guidance

What to consider before installing/running: 1) Dependency mismatch: The README tells you to pip install akshare, flask, ccxt but the code imports pandas, numpy, requests and tushare. Before running, inspect requirements and install the real dependencies (or run in a disposable environment/virtualenv). Remove ccxt if you don't need crypto support. 2) Credentials & defaults: The app uses a hardcoded default password (stock2024) and documentation has inconsistent default credentials; change the password in config.py before exposing the web UI. If you enable Tushare, provide the token only if you trust the source. 3) Networking & cron: The skill will regularly query external data sources (Sina, akshare, optionally Tushare) and suggests cron jobs. Run it behind network rate limits or in a VM to avoid IP blocks and to contain unexpected outbound traffic. Audit any webhook URLs you configure (examples show curl to a webhook) — do not paste real secret webhooks into example code. 4) Code review: There are no obfuscated or obviously malicious code fragments in the provided snippets, but the mismatch between declared and actual imports suggests sloppy packaging. Review any omitted files (advanced_indicators, fundamental_data, etc.) for network calls, subprocess usage, or credential handling before trusting it with real data. 5) Run safely: If you want to test, run the web app and data-updater in an isolated environment (container or VM), disable cron until you verify behavior, change defaults, and monitor outbound connections/logs. If you want, I can: (a) extract a full dependency list from the codebase, (b) list all files that import network or subprocess modules, or (c) highlight where default credentials appear so you can change them prior to running.

Latest Release

v1.1.2

修复数据更新Bug，优化数据源性能（新浪+akshare），提升6-10倍速度

Popular Skills

Real Estate Intelligence

@James-southendsolutions · 6 stars

Location Context