沪深300多因子投研系统 v5.1
WarnAudited by ClawScan on May 14, 2026.
Overview
This stock research skill is mostly purpose-aligned, but its scripts ship and automatically use hardcoded JQData login credentials.
Review carefully before installing. Remove the embedded JQData credentials, use your own secrets through a secure mechanism, consider pinning dependencies, and only enable the suggested daily Heartbeat run if you are comfortable with recurring provider access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may unknowingly run the skill under someone else's JQData account, expose or propagate a real provider password, or find that their own configured credentials are bypassed by hardcoded logins.
The primary analysis script directly authenticates to JQData using embedded account credentials rather than a user-provided secret; the password is redacted here but present in the artifact.
import jqdatasdk as jq; jq.auth('13918681158', '<redacted hardcoded password>')Do not use the shipped credentials. The publisher should rotate the exposed JQData password, remove hardcoded auth from all scripts, declare the credential requirement, and load user secrets from a secure config or environment variable.
Future package changes or dependency differences could affect results or runtime behavior.
The documented setup installs unpinned Python packages manually; this is expected for a data-analysis skill, but versions and package provenance are not locked by an install spec.
pip install akshare jqdatasdk tushare pandas numpy scipy
Install in an isolated environment and prefer pinned dependency versions or a reviewed lockfile.
If configured, the skill could repeatedly access data providers and generate reports without a fresh manual action each day.
The skill suggests scheduled recurring execution; it is disclosed and aligned with daily investment reports, but it creates ongoing automated activity if the user enables it.
建议配置 OpenClaw Heartbeat 每日 08:30 自动运行
Only enable scheduling after reviewing credentials, output destinations, and whether daily automated execution is desired.