12 量化交易V2.2完整版
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: 12-v2-2 Version: 1.0.0 The skill bundle provides a comprehensive quantitative trading system for stock analysis, signal generation, and backtesting. It includes modules for multi-source data management (AKShare, Efinance), market environment analysis, and a notification system supporting email and various webhooks (Telegram, WeChat, Feishu). The code is well-structured, follows standard financial application patterns, and lacks any indicators of malicious intent, data exfiltration, or unauthorized execution. Sensitive configurations like SMTP credentials and API keys are handled via user-provided placeholders in 'config/V2.2配置文件.yaml'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could run setup commands that are not clearly represented by the registry install metadata or file list.
The skill asks users to run a shell deployment script, but the registry says there is no install spec and the manifest lists install.sh rather than this named script. This looks like a setup/provenance inconsistency rather than malicious behavior.
cd 12-量化交易V2.2完整版 bash 一键部署脚本.sh
Inspect any shell script before running it, prefer the files actually present in the package, and install dependencies in a virtual environment.
If a user adds real tokens or email authorization codes to the config file, those secrets could be exposed if the folder is shared, committed, or logged.
The configuration supports optional Tushare, SMTP email, and vision-model credentials. These are expected for data and notification features, but the registry declares no credentials or environment variables.
tushare_token: "${TUSHARE_TOKEN}" ... password: "your_authorization_code" ... api_key: "${VISION_API_KEY}"Keep notifications and AI features disabled unless needed, use environment variables or a secrets manager, and avoid committing real credentials.
Selected stocks, signal recommendations, and market reports may be sent to configured recipients or messaging platforms.
The skill can send analysis results through external notification channels. This is disclosed and purpose-aligned, but it can reveal a user's watchlist, trading interests, or generated signals to third-party services.
多渠道整合(邮件/微信/飞书/Telegram/钉钉) - 优先级管理(低/普通/高/紧急) - 失败重试机制 - 消息队列
Configure only trusted recipients/webhooks, disable unused channels, and review message contents before enabling automatic notifications.
A monitoring process could keep running and continue making network requests or sending alerts until stopped.
The skill documents a recurring monitoring loop that checks stocks every five minutes and sends notifications. This is aligned with real-time monitoring, but users should ensure it has a clear stop condition and scope.
monitor_stocks(stocks, interval=300) # 每5分钟检查一次 # 有信号时发送邮件通知
Run monitoring only for an explicit watchlist, set a duration or stop procedure, and confirm notification settings before enabling it.