Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
factorlang-expression
v1.0.1提供完整的FactorLang量化因子表达式语言参考手册和规范。当用户需要编写因子表达式、策略开发、查询语法或设计交易策略时调用此技能。包含完整的变量、函数和最佳实践。基于原始文档,包含完整的变量、函数和最佳实践。
⭐ 0· 100·0 current·0 all-time
byFrank@rxjhfmf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (FactorLang expression reference and guidance) matches the included documentation and examples. However, the SKILL.md includes a specific MCP server call pattern for running expressions, which expands the skill's scope from 'documentation' to 'integration/execution' without declaring the service endpoint, required credentials, or why such a call is necessary for a documentation-only skill.
Instruction Scope
Instructions are mostly documentation and parsing rules for constructing expressions, which is expected. Concerningly, a special rule (Rule5) shows a concrete call to mcp_engine_mcp_server_run_expression_selected that sends start/end dates, poolId, open/close/stop conditions, cash, and direction. That directs the agent to transmit user-provided strategy details to an external execution/engine service; the SKILL.md does not identify the destination, authentication, or privacy handling.
Install Mechanism
No install spec and no code files that execute code are present beyond documentation; this is lowest-risk from installation perspective.
Credentials
The skill declares no required env vars or credentials, which aligns with being documentation-only. However, because it explicitly instructs the agent to call an MCP server, it is unusual that no endpoint or credential requirements are declared — if the agent/platform will perform that call, credentials or configuration will likely be needed but are not specified.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated persistence or system-wide configuration. Autonomous invocation is allowed by default (platform normal) but is not, by itself, a new concern here.
What to consider before installing
This package is mainly a reference manual and examples for FactorLang and appears consistent with that purpose, but it also contains an instruction to call an 'MCP' engine (mcp_engine_mcp_server_run_expression_selected) that would send strategy/condition data to an external service. Before installing or enabling this skill, ask the publisher: (1) what is the MCP server (URL, owner, privacy policy)? (2) Will the agent actually send user strategy text or other sensitive data to that server? (3) What credentials or config are required, and why aren't they declared? If you plan to use the skill only as offline documentation, ensure the agent/platform won't automatically invoke external APIs or transmit your proprietary strategies; prefer disabling autonomous invocation or restricting network calls until you verify the endpoint and credentials. If the author cannot provide clear answers or the endpoint is untrusted, treat the skill as risky for handling confidential strategy code or account-sensitive parameters.Like a lobster shell, security has layers — review code before you run it.
latestvk97bbsn6fzxh5adgff8mtzwt3n83pt0s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.