AI全栈量化 Master
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a genuine quant-trading guide, but it describes persistent autonomous agents that can place live broker trades without clear human approval or hard limits.
Install or use this only if you intentionally want to build an automated trading system. Treat it as Review-worthy: test in backtest or paper-trading mode first, verify remote install scripts, keep QMT and Feishu secrets protected, and do not enable live order execution until human approval, exposure limits, audit logs, and an emergency stop are configured.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with real QMT trading access, an agent workflow could place real trades and cause financial loss.
This routes automated buy/sell actions to an executor agent after an internal risk check, but the artifacts do not require human approval, account allowlists, maximum order sizes, paper-trading defaults, or other safeguards before live broker orders.
如果通过风控,调用 `executor` - 执行买入/卖出指令 - 记录交易日志
Keep live trading disabled by default; require explicit human approval for each order, start with paper trading, set account and symbol allowlists, cap order size and total exposure, and maintain audit logs.
A misconfigured or poorly supervised agent could continue acting repeatedly on trading signals and orders.
The skill promotes persistent scheduled automation for a live-trading workflow, but the artifacts do not define stop conditions, kill switches, trading-hour limits, or mandatory operator review.
实现7×24小时自动化量化交易 ... 定时任务配置:建议15分钟执行一次
Add a clear shutdown procedure, trading-session limits, manual enablement for live mode, failure backoff, and alerts when scheduled jobs or executor agents run.
Anyone with these credentials may be able to access messaging integrations or, for QMT, potentially broker-related functions depending on the configured account.
The skill expects sensitive QMT and Feishu credentials for its stated integrations; this is purpose-aligned and includes a token-safety warning, but the registry metadata declares no primary credential or required environment variables.
API token需妥善保管,切勿外泄 ... openclaw config set channel.feishu.appSecret <APP_SECRET>
Use least-privilege credentials, avoid sharing live trading tokens with autonomous workflows until safeguards are in place, store secrets securely, and rotate them if exposed.
Running remote install scripts can execute whatever code is served from those URLs at install time.
The documentation asks users to pipe remote install scripts into a shell; this is a common, user-directed setup pattern, but it depends on remote source integrity and is not pinned to a reviewed version.
iwr https://raw.githubusercontent.com/openclaw/openclaw/main/install.ps1 -UseBasicParsing | iex ... curl -fsSL https://openclaw.sh/install.sh | bash
Review scripts before execution, prefer pinned releases or checksums, avoid unnecessary administrator/root execution, and install from trusted sources only.
Trading signals, portfolio plans, reports, or agent messages may be exposed to Feishu apps, group members, or misconfigured bots.
The skill uses a Feishu group to coordinate multiple agents, including an executor role; this is disclosed and purpose-aligned, but users should control group membership, app permissions, and what trading data or commands are shared.
通过飞书群作为协作载体 ... agents: ["researcher", "selector", "strategist", "risk", "executor"]
Limit Feishu permissions and group membership, separate reporting from execution, avoid posting secrets or full account details, and verify message origin before any trade execution.