Code PluginExecutes codesource-linked

TickFlow Assist

OpenClaw plugin for TickFlow-based A-share analysis, monitoring, and alerting.

Community code plugin. Review compatibility and verification before install.

tickflow-assist · runtime id tickflow-assist

Install

openclaw plugins install clawhub:tickflow-assist

Latest Release

Version 0.2.8

Download zip

Compatibility

{
  "builtWithOpenClawVersion": "0.2.8",
  "minGatewayVersion": "2026.3.22",
  "pluginApiRange": "2026.3.22"
}

Capabilities

{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "tickflow-assist",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (stock analysis, monitoring, alerting) matches the code and tools included: TickFlow client, LLM-driven analysis code, indicators (Python), monitoring and alert services, and local LanceDB persistence. The declared necessary keys in SKILL.md (tickflowApiKey, llmApiKey, optional mxSearchApiKey) are appropriate for these functions.

ℹ

Instruction Scope

The SKILL.md explicitly directs running 'npx -y tickflow-assist configure-openclaw' which writes into ~/.openclaw/openclaw.json and (by default) enables the plugin and restarts the OpenClaw gateway. This is coherent with installing/configuring a plugin but is invasive (modifies user config and restarts services). The configure command offers flags (--no-enable --no-restart) to avoid immediate changes for manual review.

ℹ

Install Mechanism

Registry metadata lists no install spec, but SKILL.md recommends installing via OpenClaw plugins and running an npx configure script. npx will fetch code from npm; the project includes many distribution files. This is expected for a packaged plugin but you should inspect the configure script before running npx. There are no downloads from obscure URLs in the provided manifest.

✓

Credentials

The plugin needs service API keys (TickFlow API key, LLM API key) and optional mxSearch key; those are proportionate to fetching market/financial data and calling an LLM. The package does not demand unrelated secrets in metadata. It does require configuration of local paths (databasePath, pythonBin, openclawCliBin) and will persist data locally.

ℹ

Persistence & Privilege

always:false (no force-inclusion). The configure step will write to your OpenClaw config (~/.openclaw/openclaw.json), enable the plugin and restart the gateway by default—this grants the plugin persistent presence once enabled. The skill also persists data to a local LanceDB (databasePath) and can spawn the OpenClaw CLI to deliver alerts. These behaviors are expected but are persistent and should be reviewed before enabling.

Scan Findings in Context

[system-prompt-override] expected: The codebase contains many system/user prompt templates (system prompts for LLM analysis). The static scanner flagged 'system-prompt-override' in SKILL.md; this is expected because the plugin uses explicit system prompts to steer the LLM for financial analysis. Nonetheless, any included system prompts will influence LLM outputs—review them if you must ensure no undesired instruction leakage or unsafe guidance.

Assessment

What to consider before installing: - Inspect the configure script before running 'npx -y tickflow-assist configure-openclaw'. Prefer 'npx -y tickflow-assist configure-openclaw --no-enable --no-restart' so you can review ~/.openclaw/openclaw.json changes and manually enable only after review. - The plugin requires a TickFlow API key and an LLM API key (llmApiKey). Provide keys with least privilege and consider using a dedicated LLM API key for this plugin. - The plugin will persist a local LanceDB (databasePath) and may run background services (monitoring, daily updates). Decide where data will be stored and back up existing OpenClaw config first. - The alert code can run the OpenClaw CLI (or spawn commands) to deliver messages; if you don't want automated outbound messages, leave alertTarget/alertChannel unset and do not enable the plugin. - Prompt-injection scanner flagged system-prompt-override patterns — this is expected because the plugin defines system prompts for LLM analysis. Review prompt templates if you need to ensure they don’t request or leak sensitive information. - If you are unsure, audit the repository locally (especially configure-openclaw behavior and any CLI invocation code) or test in an isolated environment before enabling in your primary OpenClaw instance.

✗

dist/dev/tickflow-assist-cli.js:584