Quant-Expert
PassAudited by ClawScan on May 1, 2026.
Overview
Quant-Expert appears coherent for stock analysis and uses expected external market-data APIs and a Tushare token, with no artifact-backed signs of hidden exfiltration or destructive behavior.
Install only if you are comfortable providing a Tushare token and allowing the skill to query external market-data and holiday services. Keep the token private, do not auto-install packages unless you choose to, and review any unusually broad raw data queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use the user's Tushare account token to make market-data requests and consume account quota.
The skill uses a Tushare API credential, which is expected for market-data access but should be noticed because it grants API access under the user's account.
Because `primaryEnv` is set to `TUSHARE_TOKEN`, OpenClaw can inject the token for this skill automatically.
Use a dedicated Tushare token if possible, keep it out of repositories, and monitor API usage.
A broad raw data request could fetch large datasets or consume API quota if used carelessly.
The raw helper can call different Tushare API methods based on the requested API name and parameters. This is central to the skill's purpose, but it is broader than a single fixed workflow.
api_func = getattr(self.pro, api_name) df = api_func(**params)
Review broad or repeated raw Tushare queries before running them, especially those without tight date, stock-code, or limit parameters.
Dates or market-calendar queries may be sent to an external service; Tushare queries similarly go to the Tushare provider.
The holiday helper sends date-related queries to an external holiday API, which is disclosed and purpose-aligned.
API_BASE = "https://timor.tech/api/holiday"
Avoid including confidential strategy details in free-form external web or API queries unless you are comfortable sharing that context with the provider.