ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Quant Research Platform

v1.0.0

Advanced quantitative research platform for multi-factor analysis, factor mining, backtesting, and portfolio optimization. Includes 100+ alpha factors, IC/IR...

0· 71·1 current·1 all-time
by@jason-aka-chen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (multi-factor research, backtesting, optimization) align with the included Python code and SKILL.md examples. The SKILL.md pip requirements (pandas, numpy, xgboost, akshare, tushare, etc.) are reasonable for the stated purpose.
!
Instruction Scope
SKILL.md shows only local usage and package installation, but also documents 'AlternativeData' methods (satellite_data, web_traffic, supply_chain) which imply external network/API access. The runtime instructions do not declare how those data sources are authenticated or where network requests go. The README does not ask the agent to read unrelated system files or secrets, but the lack of detail about external endpoints and credentials is scope creep compared with the simple usage examples.
Install Mechanism
There is no registry install spec (instruction-only), and the SKILL.md recommends pip installing third-party packages from public PyPI (low-to-moderate risk). This is typical for a Python library, but the registry entry itself does not perform or specify installs—users will run pip manually. No high-risk download URLs or archive extraction are present.
!
Credentials
The skill lists no required environment variables, but it recommends installing tushare and akshare and exposes alternative data methods that normally require API keys or credentials. For example, tushare requires a TUSHARE_TOKEN for many endpoints; satellite imagery and web-traffic data typically require API keys. The absence of declared env vars or guidance for credentials is an inconsistency that could lead to hidden network calls or unclear credential requests at runtime.
Persistence & Privilege
The skill is not always-enabled, does not request system config paths, and does not declare persistent privileges. It appears to be a normal, user-invocable library with no unusual persistence demands.
What to consider before installing
Before installing or running this skill: 1) Inspect the full quant_research.py (search for network calls: requests, urllib, aiohttp, socket, boto, paramiko, ftplib, subprocess calling curl/wget) and for any use of os.environ or plaintext tokens. 2) Check the AlternativeData implementation — confirm which external APIs it calls and whether it requires API keys; do not provide API keys unless you trust the source. 3) Note that tushare typically requires a TUSHARE_TOKEN; ask the author how credentials are handled. 4) Run the code in an isolated environment (VM/container) and monitor outbound network traffic on first run. 5) Ask the publisher for provenance (homepage, repository, license) and for a list of external endpoints the library contacts. If you cannot verify those details, avoid using real production/data credentials with this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hp1espsmfndwg9qf4q3m9183dzky

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments