Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
G2量化交易策略
v1.0.0基于21组策略回测,提供沪深300量化交易系统,年化收益21.2%,夏普率1.12,含智能选股和严格风控。
⭐ 1· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and docs implement an A‑share selection/backtest system and call expected external data sources (Tencent/EastMoney). That fits the stated purpose. However SKILL.md and README reference many files (trading_workflow.py, positions.json, scripts/, backtest_cache/) that are not present in the provided file list; package.json also declares files that aren't included. This mismatch between claimed files and the provided bundle is an incoherence.
Instruction Scope
Runtime instructions tell the agent to run 'python3 stock_analysis_v5.py' and 'python3 trading_workflow.py' and to inspect positions.json. trading_workflow.py and positions.json are not present in the package, yet '执行交易' is explicitly suggested — that implies live trading capability. The SKILL.md and trading_unified_config.json also describe a multi‑agent LLM pipeline (openai/gpt‑4.5) and execution workflow but the skill declares no environment variables for LLM keys or broker credentials. The instructions are therefore incomplete and may hide steps that require sensitive credentials.
Install Mechanism
There is no install spec (instruction-only + supplied scripts). That is lower installation risk — nothing downloads arbitrary remote installers. Dependencies are typical Python libs (numpy, requests) and would be installed by the user environment, not the skill itself.
Credentials
The skill declares no required environment variables but the JSON config references an LLM provider ('openai', gpt-4.5) and a multi-agent framework which would normally require API keys. The main Python script hardcodes DB_PATH = '/root/.openclaw/workspace-financemaster/stock_data.db', writing to a root-scoped OpenClaw workspace path outside the skill directory. There is a mismatch: either required credentials/configs are omitted from metadata, or the skill expects to use existing agent/global state. Both are disproportionate and warrant caution.
Persistence & Privilege
always:false (good), but the script writes to an absolute DB path under /root/.openclaw and will create/modify an sqlite DB and tables. That gives the skill persistent local state outside its package directory. Combined with the documented but missing trading_workflow.py (which would likely perform execution), this raises risk if run on a machine with real accounts or sensitive agent workspaces.
What to consider before installing
Do not run the 'execute trading' step or hand over credentials yet. Before using this skill: 1) Verify the missing files — request trading_workflow.py, positions.json, and scripts referenced in SKILL.md; do not run anything that isn't provided and inspected. 2) Inspect trading_workflow.py (if provided) to confirm whether it places real trades and which broker APIs it uses; require explicit documentation of required API keys. 3) Change the hardcoded DB_PATH to a safe local path inside a sandboxed directory (or run in an isolated VM/container) to avoid writing to /root/.openclaw. 4) If the multi‑agent/LLM features are desired, confirm where to supply API keys and only provide them in secure env vars after review. 5) Run initial scans and the stock_analysis script in simulation mode (no real order execution) and review network endpoints contacted (qt.gtimg.cn, ifzq.gtimg.cn, push2.eastmoney.com are expected data sources). 6) Because the source/homepage is unknown and the package advertises paid download, prefer running only in a sandbox with simulated funds and verifying code provenance before trusting with real money or credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97ad6z2azhtchngvj5wq9x9c1848nta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.