Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Statistical Arbitrage 統計套利
v1.0.4統計套利(配對交易)專業策略 - 計算動態對沖比率、執行回測並生成完整報告。 支持港股(.HK)、美股(無後綴或預設)、A股(.SS/.SZ)等多市場。 Use when: 用戶說「分析統計套利策略」、「幫我回測AAPL和GOOGL」、「配對交易回測」。 NOT for: 單股票分析、趨勢交易、期貨套利、股票掃描。
⭐ 0· 170·1 current·1 all-time
by@loi214
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise a full pairs-trading backtester that accepts user-specified tickers/periods and writes plots/HTML/CSVs. The package only requires python3 (reasonable), but the shipped code uses hardcoded default tickers/dates and a hardcoded output path variable; that does not align with the stated interactive/parameterized capability.
Instruction Scope
SKILL.md instructs installing dependencies and running the script with --stock1/--stock2/--start/--end/--output etc. The actual script contains no argument parsing (it ignores CLI args and uses internal defaults), and it prints summaries rather than producing the many PNG/HTML/CSV files the doc claims. That is a substantive scope discrepancy — the instructions would cause the agent to expect generated files that the code does not produce.
Install Mechanism
No remote download/install is performed; dependencies are standard Python packages installed via pip (yfinance, pandas, numpy, statsmodels, matplotlib). An install script is included that runs pip; this is expected and proportionate for the declared functionality.
Credentials
The skill requests no environment variables or credentials. Dependencies access only public Yahoo Finance via yfinance which matches the stated data source. No secrets or unrelated credentials are requested.
Persistence & Privilege
The skill is not always-included and does not request elevated persistence. The install script writes a local test_config.json and may create files if run, which is normal for a local analysis tool; nothing modifies other skills or global configs.
What to consider before installing
Do not assume the skill will behave as the README/SKILL.md claims. Specific issues to consider before installing or running:
- The included Python script is labelled 'Obfuscated Version', uses non-descriptive variable names, and hardcodes defaults (tickers, train/test split, and an output path variable). That makes auditing harder. Ask the author for a clear, non-obfuscated version.
- SKILL.md and package.json advertise CLI options and many output files (PNG, report.html, CSV). The script does not parse command-line arguments nor save plots or CSV/HTML outputs — it only prints summaries. If you need the promised outputs, request a corrected script that implements argument parsing and file-generation.
- The script contains a hardcoded path ('/Users/houloi/Desktop/代碼/') which could be used to write files to that location if later code uses it; confirm whether the script will write anywhere and where. Prefer explicit --output handling and safe default in the current working directory.
- Because the code runs network calls (yfinance), run it in a controlled environment or sandbox first to inspect actual network activity and produced files.
- If you plan to use this for trading decisions, validate results independently (the README includes appropriate risk warnings). Consider requesting unit tests or example outputs that match the documentation.
If the author provides a non-obfuscated, argument-parsing version that actually writes the claimed outputs (or SKILL.md is corrected to match code), re-evaluate; until then treat the skill as untrusted for automation.Like a lobster shell, security has layers — review code before you run it.
latestvk971dc46r1b0vh75qfcwfqjdk183zbdm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binspython3