12 量化交易V2.2完整版
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a stock analysis/backtesting tool with expected market-data access and optional notifications, but users should verify setup steps and protect any configured API or email credentials.
Before installing, inspect the setup script and use a virtual environment. Treat this as an analysis/alerting tool, not an automated trading bot. Do not add real email/API secrets unless you need those features, keep them out of shared files, and verify notification recipients and monitoring stop conditions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could run setup commands that are not clearly represented by the registry install metadata or file list.
The skill asks users to run a shell deployment script, but the registry says there is no install spec and the manifest lists install.sh rather than this named script. This looks like a setup/provenance inconsistency rather than malicious behavior.
cd 12-量化交易V2.2完整版 bash 一键部署脚本.sh
Inspect any shell script before running it, prefer the files actually present in the package, and install dependencies in a virtual environment.
If a user adds real tokens or email authorization codes to the config file, those secrets could be exposed if the folder is shared, committed, or logged.
The configuration supports optional Tushare, SMTP email, and vision-model credentials. These are expected for data and notification features, but the registry declares no credentials or environment variables.
tushare_token: "${TUSHARE_TOKEN}" ... password: "your_authorization_code" ... api_key: "${VISION_API_KEY}"Keep notifications and AI features disabled unless needed, use environment variables or a secrets manager, and avoid committing real credentials.
Selected stocks, signal recommendations, and market reports may be sent to configured recipients or messaging platforms.
The skill can send analysis results through external notification channels. This is disclosed and purpose-aligned, but it can reveal a user's watchlist, trading interests, or generated signals to third-party services.
多渠道整合(邮件/微信/飞书/Telegram/钉钉) - 优先级管理(低/普通/高/紧急) - 失败重试机制 - 消息队列
Configure only trusted recipients/webhooks, disable unused channels, and review message contents before enabling automatic notifications.
A monitoring process could keep running and continue making network requests or sending alerts until stopped.
The skill documents a recurring monitoring loop that checks stocks every five minutes and sends notifications. This is aligned with real-time monitoring, but users should ensure it has a clear stop condition and scope.
monitor_stocks(stocks, interval=300) # 每5分钟检查一次 # 有信号时发送邮件通知
Run monitoring only for an explicit watchlist, set a duration or stop procedure, and confirm notification settings before enabling it.