Community code plugin. Review compatibility and verification before install.
Latest release: v0.3.4Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md implement A‑share monitoring, TickFlow/Jin10 integration, alerting, local LanceDB persistence, and LLM-based analysis — all coherent with the stated purpose. However the skill relies on several external services (TickFlow, Jin10, optional mxSearch, and an LLM) which require API keys/configuration that are not declared in the registry metadata.
Instruction Scope
Runtime instructions explicitly instruct installing/enabling the plugin, writing configuration into ~/.openclaw/openclaw.json (tickflowApiKey, llmApiKey, llmBaseUrl, llmModel, etc.), restarting the OpenClaw gateway, and running local Python sync; scripts will persist data locally and run background workers. There are no instructions to read unrelated system files, nor obvious external exfil endpoints hard-coded, but the plugin ships many LLM prompt files (system/user prompts) which influence the LLM behavior.
Install Mechanism
Registry lists no install spec (instruction-only), but the package contains a full codebase (JS/TS dist and Python modules) expected to be installed via OpenClaw's plugin installer. There are no download-from-arbitrary-URL steps in SKILL.md. Risk is moderate because code will be installed and run locally (no external opaque installers), but you should inspect the configure-openclaw helper before executing it.
Credentials
Registry metadata declares no required env vars/primary credential, yet SKILL.md and code require and use multiple sensitive configuration values (tickflowApiKey, llmApiKey and llmBaseUrl, jin10ApiToken, mxSearchApiKey, alert channel/targets, databasePath, etc.) stored in ~/.openclaw/openclaw.json. This mismatch is an incoherence: the skill will ask you to supply potentially high‑privilege secrets but does not declare them as required in metadata. The skill can also invoke runtime channel APIs and run the openclaw CLI for alert delivery — these mechanisms can use credentials/config from the OpenClaw runtime.
Persistence & Privilege
The plugin persists data (LanceDB under databasePath) and writes its configuration into the user's OpenClaw config (~/.openclaw/openclaw.json). It spawns background workers for monitoring/alerts. 'always' is false and autonomous invocation is allowed (default), so it will not be force-attached to every agent globally, but it will run persistent services when enabled. This behavior is expected for a monitoring plugin but increases its blast radius if misconfigured.
Scan Findings in Context
[system-prompt-override] expected: The package includes many LLM prompt files and a service that calls an LLM (analysis-service). A 'system-prompt-override' pattern is expected because the plugin provides system and user prompts for the LLM-driven analysis. Still, prompt files increase risk of untrusted instruction injection (the plugin controls what is sent to the LLM and how LLM outputs are used).
What to consider before installing
What to check before installing:
1) Metadata vs reality: the registry lists no required credentials but the SKILL.md and code require/expect tickflowApiKey, llmApiKey (and llmBaseUrl), jin10ApiToken, mxSearchApiKey, and alert channel settings in ~/.openclaw/openclaw.json. Inspect the configure-openclaw script and openclaw.plugin.json before running to see exactly what will be written.
2) Secrets storage: the plugin stores API keys in your OpenClaw config file. If you are uncomfortable storing full LLM or exchange API keys there, create least‑privilege or scoped API keys, use separate accounts, or avoid enabling features that require them.
3) LLM usage & prompts: the skill ships system/user prompts and will call an LLM to generate trading analysis. Prompt files are expected but review them (dist/prompts/**) to ensure no unexpected instructions or hidden telemetry. Prefer pointing llmBaseUrl to a trusted LLM endpoint.
4) Alert delivery: the plugin can send messages via OpenClaw runtime channels or by invoking the openclaw CLI — verify which channel/targets/accounts you configure and who can receive those alerts.
5) Local persistence and processes: the plugin writes to databasePath (LanceDB) and starts background workers; confirm the database location and retention settings. Consider running the plugin in an isolated environment/container if you want to limit filesystem exposure.
6) Review code paths of highest impact: configure-openclaw, bootstrap, services/analysis-service.js (LLM calls), services/tickflow-client.js, services/jin10-mcp-service.js, runtime/command-runner.js, and any code that performs network calls. If you do not want network calls to certain services, do not provide those API keys.
7) If uncertain: test in a throwaway OpenClaw profile or VM, or ask the maintainer for a minimal install checklist and an explanation of what configure-openclaw writes. The package appears to implement its stated functionality, but the metadata/manifest omissions and LLM/prompt files justify caution.Verification
Tags
TickFlow Assist
基于 OpenClaw 的 A 股监控与分析插件。它使用 TickFlow 获取行情与财务数据,并可选接入 金十数据 MCP 快讯流,结合 LLM 生成技术面、基本面、资讯面的综合判断,并把结果持久化到本地 LanceDB。
最近更新:v0.3.4 新增 09:20 盘前资讯简报,修复 Jin10 历史补页重复推送与状态页最新快讯显示错误,并降低 Telegram 图文告警被误判失败后重复补发的风险。完整发布记录见 https://github.com/robinspt/tickflow-assist/blob/main/CHANGELOG.md。
当前主线按 OpenClaw v2026.3.31+ 对齐,并已验证社区安装在 v2026.4.5 上兼容。
安装
社区安装:
openclaw plugins install tickflow-assist
npx -y tickflow-assist configure-openclaw
cd ~/.openclaw/extensions/tickflow-assist/python && uv sync
openclaw plugins enable tickflow-assist
openclaw config validate
openclaw gateway restart
安装阶段允许先落插件,再通过第二条命令写入 tickflowApiKey、llmApiKey 等正式配置。
configure-openclaw 会写入 ~/.openclaw/openclaw.json 中的 plugins.entries["tickflow-assist"].config,并打印后续建议执行的命令;它不再自动执行 openclaw、uv 或系统包安装命令。
如果检测到 plugins.installs["tickflow-assist"] 来自 clawhub,向导还会把被旧版本钉死的 spec 归一化为 clawhub:tickflow-assist,避免后续升级继续锁在旧版本。
如果你希望先审阅配置,再只打印最少的后续步骤,可使用:
npx -y tickflow-assist configure-openclaw --no-enable --no-restart
如果你在 Linux 或 macOS 上需要 PNG 告警卡正常显示中文,请额外手动安装 fontconfig 与 Noto CJK 一类中文字体,例如:
# Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y fontconfig fonts-noto-cjk
fc-cache -fv
# RHEL / Fedora / Rocky / AlmaLinux
sudo dnf install -y fontconfig google-noto-sans-cjk-ttc-fonts
fc-cache -fv
# Arch / Manjaro
sudo pacman -Sy --noconfirm fontconfig noto-fonts-cjk
fc-cache -fv
# Alpine
sudo apk add fontconfig font-noto-cjk
fc-cache -fv
# macOS (Homebrew)
brew install fontconfig
brew install --cask font-noto-sans-cjk
fc-cache -fv
社区安装后的升级方式:
openclaw plugins update tickflow-assist
openclaw gateway restart
配置
插件正式运行读取:
~/.openclaw/openclaw.json
配置路径:
plugins.entries["tickflow-assist"].config
建议按完整功能显式填写以下字段,不要只填 API Key:
- 核心运行:
tickflowApiKey、llmApiKey、llmBaseUrl、llmModel - 本地数据:
databasePath、calendarFile - 告警投递:
alertChannel、alertTarget、alertAccount - 能力补充:
mxSearchApiKey、jin10ApiToken
其中,mxSearchApiKey 用于 mx_search、mx_select_stock 以及非 Expert 财务链路的 lite 补充;jin10ApiToken 用于 24 小时金十数据快讯监控;jin10FlashNightAlert 默认 false(开启夜间静默),设为 true 可恢复 24 小时快讯告警;alertTarget、alertAccount 建议在准备启用 test_alert、实时监控告警、金十数据快讯告警和定时通知前一并配好,避免配置不完整导致功能缺失。
功能
- 自选股管理、日 K / 分钟 K 抓取与指标计算
- 技术面、财务面、资讯面的综合分析
- 实时监控、定时日更、收盘后复盘
- 金十数据 24 小时快讯监控与自选关联提醒
- 本地 LanceDB 数据留痕与分析结果查看
运行说明
- 插件会在本地
databasePath下持久化 LanceDB 数据。 - 后台服务会按配置执行定时日更、实时监控与金十数据快讯监控。
- Python 子模块仅用于技术指标计算,不承担主业务流程。
依赖与可选能力
- TickFlow:提供日线、分钟线、实时行情与财务数据接口。
- 金十数据 MCP:可选,用于 24 小时快讯流接入、自选关联筛选与事件驱动告警。
- 东方财富妙想 Skills:可选,用于
mx_search、mx_select_stock与非Expert财务链路的 lite 补充。