IRS Strategy Development Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent IRS trading-strategy reference, but it exposes plaintext internal database and website credentials and includes live-trading order capabilities.
Do not rely on the exposed database or website credentials as-is; ask the publisher to remove and rotate them. If you use the skill, verify the private NuGet template source and treat any IRS.Trader workflow or generated order-placement code as capable of real financial trading unless you have confirmed it is in backtest or simulation mode.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill may learn shared credentials for internal financial data systems if those systems are reachable.
The skill embeds plaintext database and website credentials in documentation. These credentials are not merely requested from the user; they are included in the artifact and could be exposed to any installer or agent context.
连接串:`Server=192.168.1.129;Database=JYDB;User Id=Traders;Password=abcd4321;...` ... 在线数据字典:https://dd.gildata.com/(用户名:szsgdsjk01,密码:gildata@123)
Remove the credentials from the skill, rotate the exposed passwords, and require users to provide access through approved secret-management or environment-variable mechanisms.
Generated or modified strategies could submit real orders if run against a live trading setup.
The skill intentionally documents live/simulated trading and algorithmic order placement. This is aligned with its purpose, but it is high-impact and can place trades when used in the user's IRS environment.
IRS(开发代号 SunnyQuant)是一个基于 C#/.NET 的量化投研系统,支持策略编写、回测(IRS.Lab)和实盘交易(IRS.Trader)。 ... 所有下单均通过算法单(AlgoOrder)完成。
Use backtest or simulation modes first, confirm whether IRS.Trader is connected to live or simulated accounts, and require explicit user approval before running any strategy that can place orders.
A user may install template code from a private package source that ClawScan did not review.
The setup guidance installs a template from a private NuGet source using --force. This is purpose-aligned setup documentation, but the package/version is not pinned in the artifact.
dotnet new install SGD.InvestorResearchSystem --nuget-source https://nuget.shengguanda.com/v3/index.json --force
Verify the NuGet source, package identity, and version before installation; prefer pinned versions and avoid --force unless needed.