worldquant-miner-cn
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: worldquant-miner-cn Version: 1.0.0 The skill is classified as suspicious due to significant credential handling vulnerabilities. Both `SKILL.md` and `README.md` instruct users to store WorldQuant credentials in a plain text file (`credential.txt`). More critically, `references/README_en.md` shows direct command-line exposure of usernames and passwords (`python machine_miner.py --username ... --password ...`), which can lead to credential leakage via process lists or shell history. While the skill does not exhibit malicious intent to steal credentials, these instructions create a severe security flaw that allows for credential compromise.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or following the instructions could give the automation access to the user's WorldQuant account.
The skill asks the user to place WorldQuant account credentials, including a password, into a local plaintext file. This is central to the tool, but the registry declares no primary credential or required environment variable, so the credential boundary is under-disclosed.
echo '["your.email@worldquant.com", "your_password"]' > credential.txt
Use only a credential storage method you trust, avoid plaintext passwords where possible, and confirm the skill metadata clearly declares required credentials before use.
The automation may submit alphas through the user's WorldQuant account, potentially consuming limits or affecting account activity without a clear confirmation step.
The skill advertises automated submission to WorldQuant, a third-party account action. The artifacts mention daily limits and filtering, but do not clearly require user confirmation for each submission or describe reversal/containment controls.
📤 **智能提交** - 每日限制,自动过滤
Require explicit user approval before each submission and document exactly what account actions are performed.
A user may need to obtain and run external or missing code that was not reviewed here, while also providing account credentials.
The skill instructs users to run Docker Compose deployment files, but the reviewed manifest contains only README.md, SKILL.md, package.json, and references/README_en.md. The compose files and Python implementation are not present, creating an unreviewed-code/provenance gap for a credentialed finance automation system.
docker-compose -f docker-compose.gpu.yml up -d
Review the actual Docker Compose files, Dockerfiles, Python code, and dependency locks from a trusted source before running anything.
The system could keep generating, testing, and potentially submitting alphas in the background until explicitly stopped.
The reference documentation describes persistent autonomous operation. Combined with WorldQuant credential use and submission features, this means the system may continue acting after initial setup.
🤖 **Fully automated** 24/7 operation
Run only with clear start/stop controls, monitoring, and submission approval settings; do not leave it unattended with production credentials.