ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

strategy-engine

v1.0.0

调用Strategy Engine MCP服务器执行量化策略。当用户需要运行因子表达式策略、回测交易策略或执行金融分析时调用此技能。基于MCP Server工具的实际默认值设置。

0· 72·0 current·0 all-time
byFrank@rxjhfmf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the document is focused on building parameters and invoking an MCP Server call (e.g., mcp_engine_mcp_server_run_expression_selected). However, the skill declares no endpoint, no credentials, and no required environment variables — a mismatch unless the platform provides a built-in MCP tool. This absence makes the claimed capability ambiguous in deployment.
Instruction Scope
SKILL.md stays on-topic: it specifies parameter inference rules, default values, and example calls to an MCP invocation function. It does not instruct reading arbitrary system files, harvesting environment secrets, or sending data to third-party endpoints beyond the MCP call. It references the current date (derived from environment) for time-window logic, which is reasonable for its purpose.
Install Mechanism
This is instruction-only (no install spec, no code files). That minimizes disk-writing risk — there is nothing downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials, yet the behavior presumes making calls to an MCP server. Real calls typically require a server URL and auth (API key, token, or platform-integrated tool). The lack of declared primaryEnv or required credentials is disproportionate unless the platform supplies the MCP integration and authentication implicitly.
Persistence & Privilege
always:false and no install actions mean the skill does not request persistent presence or elevated platform configuration changes. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
What to consider before installing
This skill appears to be a legitimate parameter-builder and caller for a Strategy Engine, but before installing: 1) Ask the publisher/platform where the MCP server endpoint and authentication come from (is there a built-in 'mcp' tool or do you need to provide credentials?). 2) Verify the MCP server's host and operator — confirm you're not sending trading data or secrets to an unknown third party. 3) If the platform integrates the MCP tool, confirm what credentials it will use and whether those are scoped/limited. 4) If you handle sensitive trading or account credentials, avoid enabling autonomous invocation until you confirm the destination and auth. 5) Prefer testing in a sandbox with non-sensitive data to observe actual network calls and behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk972pk81g0e0971j7rt49qjnkn83qr39

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments