沪深300多因子投研系统 v6.0 — 多策略量化选股平台
WarnAudited by ClawScan on May 16, 2026.
Overview
This finance-analysis skill is mostly on-purpose, but it contains hardcoded JQData login credentials and contradicts its own claim that JQData is disabled.
Review this skill before installing. Remove or replace the hardcoded JQData credentials, verify which market-data providers it will contact, install dependencies in an isolated environment, and treat its stock rankings as research output rather than financial advice.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may use an embedded third-party data-provider account instead of a user-controlled credential, creating account ownership, audit, quota, and credential-exposure risks.
The script authenticates to JQData with credentials embedded directly in source, while the registry declares no primary credential or required environment variables.
jq.auth('139****1158', '<hardcoded password>')Remove the hardcoded credential, rotate the exposed secret, require users to provide their own credential via environment variable or config, and declare that credential in metadata.
Users may believe the skill will not contact or rely on JQData when some workflows do, including with embedded credentials.
The documentation says JQData is disabled/removed, but provided scripts still import JQData and authenticate to it, which can mislead users about what data sources and credentials are used.
⚠️ JQData 已禁用 — 免费版数据截止2026-02-10,已从数据源剔除
Make the documentation match the code: either fully remove JQData usage or clearly disclose when it is used, what credential is required, and how users can disable it.
Future package changes or compromised dependencies could affect results or runtime behavior.
The skill instructs installation of multiple unpinned Python packages from the package ecosystem. This is expected for the finance-analysis purpose, but versions and provenance are not locked.
pip install akshare tushare pywencai pandas numpy scipy
Use a pinned requirements file or lockfile, install in an isolated environment, and review package sources before running.
If configured, the skill may run daily, make network requests, use API quotas, and generate local outputs without a fresh manual trigger each time.
The skill recommends a daily scheduled run. This is disclosed and aligned with generating daily research reports, but it is still persistent recurring activity if enabled.
建议配置 OpenClaw Heartbeat 每日 08:30 自动运行
Enable scheduled runs only intentionally, monitor outputs and API usage, and keep an easy way to disable the schedule.