ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Quant Strategy Bundle

v1.0.0

Quantitative trading strategy bundle - Contains multiple verified A-stock quantitative trading strategy frameworks. Includes momentum strategies, reversal st...

0· 90·0 current·0 all-time
by@jason-aka-chen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (quant trading strategies, backtesting, signal generation) match the high-level instructions, but the SKILL.md expects a 'strategy' Python module and a config.json with a Tushare token that are not included and not declared in requirements. The skill therefore does not contain the code it claims to document, which is an incoherence.
!
Instruction Scope
Runtime instructions tell the user/agent to pip install packages and then import from 'strategy' (MomentumStrategy, etc.) and to place a Tushare token in config.json. The skill does not provide that module or an example config, and it does not declare the Tushare token as a required credential. This gives the agent/user broad discretion to install packages and use external tokens without guidance or packaged code.
Install Mechanism
There is no install spec (instruction-only). SKILL.md recommends 'pip install pandas numpy xgboost tushare' which will download code from PyPI — normal for Python projects but worth noting because large packages (xgboost) may require build steps; the skill does not provide a controlled install or pinned versions.
!
Credentials
The instructions require a Tushare token (sensitive API credential) in config.json, but the skill declares no required environment variables or primary credential. Asking for a third‑party API token without declaring it or explaining storage/usage is disproportionate and a transparency gap.
Persistence & Privilege
always is false and there is no install script or persistent modification of agent/system configuration. The skill does not request elevated or persistent privileges.
What to consider before installing
This skill is inconsistent: the README expects a local 'strategy' Python module and a Tushare API token but provides neither and does not declare required credentials. Before installing or running anything: (1) obtain the actual strategy code from a trusted source (the skill package lacks it); (2) do not paste your Tushare token into public places — store it securely and consider using environment variables rather than unchecked config files; (3) prefer installing dependencies into an isolated virtual environment (venv/conda) rather than system-wide; (4) verify the strategy implementation code for unsafe behaviour (network calls, data exfiltration, or executing arbitrary shell commands); (5) if you cannot obtain the missing code or a trustworthy source, avoid running the pip installs or executing unverified scripts. These inconsistencies are plausibly benign poor packaging, but they could hide risk, so proceed with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rga0srsd4h7rwtt85d5kad83dqwc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments