v1.0.4

Statistical Arbitrage 統計套利

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

The skill’s stated stock-pair backtesting purpose is coherent, but the included script is hardcoded and does not implement the documented user-controlled analysis or report generation.

GuidanceReview this skill carefully before installing. Its purpose is legitimate, but the included script does not match the advertised workflow: it appears to analyze hardcoded stocks instead of the user-requested pair and does not generate the promised report files. Use only after the maintainer fixes the implementation or you manually verify the script behavior.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

python3 scripts/statistical_arbitrage.py \
  --stock1 <股票1> \
  --stock2 <股票2> ... --output <輸出目錄> ... 腳本自動生成： ... report.html

The skill tells users and the agent that user-selected tickers, parameters, and an output directory are honored and that reports are generated, but the included source does not implement those documented controls or outputs.

User impactA user could ask for one stock pair or parameter set and receive analysis produced by a different hardcoded configuration, while believing the requested workflow was followed.

RecommendationDo not rely on the documented output until the maintainer either implements the described CLI/report generation behavior or updates the instructions to match the actual script.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/statistical_arbitrage.py

_c1 = {
    's1': '1398.HK', 's2': '0939.HK', 'd0': '2020-01-01', 'd1': '2026-12-31', ...
}
...
_d6 = _f1(_c1['s1'], _c1['d0'], _c1['d1'])
_d7 = _f1(_c1['s2'], _c1['d0'], _c1['d1'])

The executable uses hardcoded symbols and dates from its internal dictionary, with no visible CLI parsing for the arguments documented in SKILL.md.

User impactThe agent may invoke the tool as if it is scoped by the user’s request, but the script is not actually constrained by those user-provided arguments.

RecommendationRequire explicit argument parsing and validation for tickers, dates, thresholds, capital, and output paths before treating this as a user-directed analysis tool.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"install-deps": "pip install yfinance pandas numpy statsmodels matplotlib" ... "url": "https://github.com/your-repo/openclaw-skill-statistical-arbitrage"

The dependency installation is purpose-aligned, but it uses unpinned package installs and the repository URL is a placeholder rather than verifiable provenance.

User impactThe skill depends on third-party packages and unclear upstream source information, which increases installation trust requirements.

RecommendationInstall in a virtual environment, review the included source, and prefer pinned dependency versions with a real repository link before use.