Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ptrade Skills
v1.0.0提供三种高级量化策略,包含小市值选股、8因子打分+ATR止损和热点行业轮动移动止损,支持实盘部署。
⭐ 0· 59·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the actual code: three trading strategies (small-cap, 8-factor+ATR, sector rotation) that use a PTrade-style API. However, the skill metadata declares no required env vars or credentials, while every code file imports and calls a 'ptrade' API (get_price, order_shares, get_instrument_info, etc.). That implies missing runtime requirements (API keys, endpoint config or SDK) which is an incoherence between stated metadata and actual runtime needs.
Instruction Scope
SKILL.md and the Python files stick to trading/data tasks (selecting stocks, computing factors, placing orders). They do not attempt to read local files, system configs, or communicate with unexpected endpoints. The instructions include standard anti-lookahead rules and backtest safeguards.
Install Mechanism
No install spec (instruction-only plus included strategy files). Nothing is downloaded or installed by the skill itself — lowest-risk install model. The code does depend on an external 'ptrade' runtime/SDK which is not provided here.
Credentials
The code will require access to the PTrade brokerage/data API (and thus credentials or a configured runtime) but the skill metadata lists no required environment variables or primary credential. That mismatch is important: running these scripts in a live agent will likely need API keys or a configured environment; these are not declared or scoped. Also the code makes bulk requests (get_trade_calendar() then get_price for all A-shares), which may require high API quotas and could expose large amounts of portfolio/market data if used with real brokerage credentials.
Persistence & Privilege
Skill flags are default (not always:true). It does not attempt to modify other skills or persist beyond its own variables. Autonomous invocation is allowed by default but is not by itself a red flag here.
What to consider before installing
This skill contains three coherent trading strategies and uses a 'ptrade' API to fetch market data and place orders. Before installing or running it: 1) Confirm how the 'ptrade' SDK/agent runtime is configured — the skill metadata lists no API keys or env vars, but the code will need brokerage/data credentials and endpoint configuration; ask the author what credentials are required and where they are stored. 2) Do not run against real trading credentials until you test thoroughly in a sandbox/paper environment; these strategies will place orders. 3) The code requests bulk market data (all symbols from get_trade_calendar then get_price for many securities) — ensure you have API quota and that such large requests are intentional. 4) Review and test edge cases: the code swallows many exceptions (which can hide failures), mixes datetime.now and context.now (possible timing/backtest inconsistencies), and one source file in the provided manifest was truncated in the package review — request the complete files. 5) If you intend to deploy live, ask for explicit documentation of required runtime configuration (credentials, SDK version, rate limits) and run a dry-run/paper backtest first.Like a lobster shell, security has layers — review code before you run it.
latestvk97arj38aayse0jqtrte6p29b984qhmk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.