Skillv1.0.2

ClawScan security

joinquant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 23, 2026, 10:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match the stated JoinQuant data / backtest purpose, but metadata inconsistencies around required credentials (and how they are declared) create ambiguity the user should resolve before installing.
Guidance: This package appears to legitimately wrap the official jqdatasdk for JoinQuant usage, but packaging metadata is inconsistent about credentials. Before installing: (1) Confirm whether the skill will read JQ_USERNAME/JQ_PASSWORD from the agent environment — metadata.json and README indicate it will. (2) If providing credentials, prefer a least-privilege or read-only account and avoid reusing your main JoinQuant password. (3) Verify you install jqdatasdk from an official source (PyPI) and, if possible, review or monitor network traffic to ensure credentials are only sent to JoinQuant endpoints. (4) Ask the skill author to fix metadata to clearly declare required env vars and primary credential so the agent's permission prompts are accurate.

Purpose & Capability: okName/description, SKILL.md, README, and demo all describe using jqdatasdk to query JoinQuant data and run strategies. Required binaries (python3) and declared Python packages (jqdatasdk, pandas) are appropriate for the stated purpose.
Instruction Scope: okRuntime instructions are limited to installing/using jqdatasdk, authenticating with a JoinQuant account, querying market/financial data, and running event-driven strategy functions. The SKILL.md does not instruct reading unrelated system files or contacting unexpected endpoints beyond JoinQuant/JQData.
Install Mechanism: okThis is instruction-only (no automated install spec). The included requirements.txt references jqdatasdk and pandas (expected). No downloads from untrusted URLs or archive extraction are present in the package.
Credentials: concernThe skill requires JoinQuant credentials (username/password) to authenticate via jqdatasdk, which is proportional to its purpose. However there is an inconsistency: the top-level registry summary lists 'Required env vars: none' while metadata.json and the README/SKILL.md indicate JQ_USERNAME and JQ_PASSWORD are expected. This mismatch creates ambiguity about whether the agent will request or expect env-stored credentials and how they are handled.
Persistence & Privilege: okalways:false (normal). The skill does not request persistent or platform-global privileges and does not modify other skills or system-wide configs.