ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

myquant

v1.0.3

掘金量化Python SDK - 事件驱动量化平台,支持A股、期货、期权、ETF、可转债回测与实盘交易。

1· 231·0 current·0 all-time
by@coderwpf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md and demo all describe a Python SDK ('gm' package) for MyQuant and require python3 and a MyQuant token — these are coherent with the stated purpose. However the registry metadata shown at the top (no required envs, Version=1.0.3, owner ID) does not match the packaged files (metadata.json/_meta.json report GM_TOKEN as required, versions 1.2.0/1.3.0, different ownerId). The mismatch between declared registry requirements and the embedded metadata is unexpected.
Instruction Scope
SKILL.md and included docs instruct installing 'gm' via pip, setting a GM token, and running strategy code. The runtime instructions do not ask the agent to read unrelated files, system credentials, or to exfiltrate data. Demo code only attempts to import gm.api and instructs to set_token.
Install Mechanism
There is no install spec for the skill itself (instruction-only). The instructions recommend 'pip install gm' (standard PyPI) or downloading from the vendor website. No downloads from obscure hosts or archive extraction are present in the skill bundle.
Credentials
The package files (metadata.json, README, SKILL.md) indicate a single credential (GM_TOKEN) is needed — appropriate for an API client. But the registry summary at the top listed no required env vars and no primary credential; that inconsistency is concerning and should be clarified before supplying a token.
Persistence & Privilege
Skill flags are normal: always=false, user-invocable=true, disable-model-invocation=false. The skill does not request persistent or system-wide privileges, and it does not modify other skills or agent configs in the bundle.
Scan Findings in Context
[metadata_requires_env_GM_TOKEN] expected: metadata.json and README declare GM_TOKEN as required — this is expected for a trading API SDK that needs an auth token.
[registry_vs_package_version_mismatch] unexpected: Registry-level metadata reported Version=1.0.3 while packaged files show versions 1.2.0 / 1.3.0. Version mismatch across declarations is unexpected and could indicate stale or tampered registry metadata.
[ownerId_inconsistency] unexpected: _meta.json ownerId differs from the registry ownerId field at the top of the report. Inconsistent owner attribution is unexpected and merits verification of provenance.
[no_injection_signals] expected: Pre-scan injection signals: None detected.
What to consider before installing
This skill appears to be a wrapper/guide for the official MyQuant ('gm') Python SDK and only needs python3 plus a MyQuant token — which is reasonable. However, there are multiple inconsistencies in the package metadata (mismatched version numbers and owner IDs, and disagreement about whether GM_TOKEN is declared in the registry). Before installing or providing credentials: 1) Verify the 'gm' package source (confirm the package on PyPI or the vendor site is the official MyQuant release and check publisher/owner). 2) Prefer installing 'gm' directly from the official PyPI entry or vendor download linked on https://www.myquant.cn rather than any untrusted bundle. 3) Do not paste your GM_TOKEN into third-party UIs or scripts unless you confirm the package origin; use a dedicated API token with minimal permissions if possible. 4) If you need higher assurance, request the upstream repository URL or a signed release; check the package contents for unexpected network calls before running in a production environment. If you want, I can list specific checks to perform on the 'gm' package or help verify the PyPI project and its maintainers.

Like a lobster shell, security has layers — review code before you run it.

latestvk977jnww439w3d23ywyk44h5s983fv8q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛏️ Clawdis
Binspython3

Comments