Skillv1.0.0

ClawScan security

joinquant聚宽平台的策略助手，DR成熟框架 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 8:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's files, instructions, and resource requests are coherent with its stated purpose (providing JoinQuant strategy templates and references); it does not request credentials, install software, or contact external endpoints.
Guidance: This package is internally consistent with its stated purpose, but before installing consider: 1) Verify the source/trustworthiness — the skill's source/homepage is unknown; review the included code yourself or with a developer. 2) Understand runtime context — these templates contain code that will place orders when run on JoinQuant; do not run against a live account until you have tested in a sandbox/backtest. 3) Credentials and execution are handled outside the skill — the skill doesn't request API keys, but executing strategies on JoinQuant normally requires linking your account/API credentials to the platform; keep those credentials secure. 4) Audit any changes before you let an autonomous agent execute code that can place trades. Overall the skill appears coherent and appropriate, but exercise normal caution when enabling trading-related code from an unverified source.

Purpose & Capability: okName/description (JoinQuant strategy helper) match the provided templates, examples, snippets and API reference. All required artifacts (strategy templates, example code, documentation) are appropriate for the stated purpose; no unrelated services, binaries, or credentials are requested.
Instruction Scope: okSKILL.md simply describes how to use templates, snippets, and API docs inside Cursor. The runtime instructions do not direct the agent to read arbitrary system files, environment variables, or to transmit data to external endpoints. The included code uses JoinQuant APIs (jqdata) and platform-specific functions, which is expected for trading strategy templates.
Install Mechanism: okNo install spec is present (instruction-only with static code files). Nothing is downloaded or written by an installer; risk from install mechanism is minimal.
Credentials: okThe skill does not declare or require any environment variables, credentials, or config paths. The code assumes use of the JoinQuant runtime (jqdata) but does not request unrelated secrets or platform credentials in the skill bundle.
Persistence & Privilege: okSkill flags show always:false and default invocation settings. It does not request permanent agent-wide presence or attempt to modify other skills or system settings.