ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

波龙股神量化交易系统

v2.1.3

🐉 波龙股神量化交易系统 V2.1 — A股/期货一站式量化工作台。多因子选股 · A股回测(T+1/涨跌停) · 华鑫QMT实盘 · 文华财经期货 · 实时风控告警。搜索关键词:波龙股神、量化交易、选股、A股、期货、QMT、文华财经、回测、策略、投资、股票、炒股、量化、量化选股、自动交易、巧未来

0· 170·1 current·1 all-time
by@simonstang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a full trading stack (stock picker, backtester, executors for 华鑫QMT and 文华WH8, risk monitor) which legitimately needs Python, market-data tokens (TUSHARE), and optional broker credentials. However the registry summary at the top of the submission lists no required binaries or env vars while the SKILL.md metadata and config files explicitly require python3 and TUSHARE_TOKEN (and optionally QMT/WH8/TB account credentials). That mismatch between declared requirements and the actual instructions/config is an incoherence that should be resolved by the author.
Instruction Scope
The SKILL.md instructs the agent to run local Python scripts, edit local YAML config files, and provide tokens/credentials for data and broker APIs. The instructions reference only trading-relevant files, local service endpoints (defaulting to 127.0.0.1 for broker APIs), and market-data providers (tushare/akshare). There are no instructions to read unrelated system files or exfiltrate data in the provided docs.
Install Mechanism
No install spec is present (instruction-only install), so nothing is downloaded automatically by the skill. Dependencies are typical Python packages installed via pip per the README/SKILL.md (pandas, numpy, tushare, akshare, requests, etc.). This is low-risk from an automated-install perspective, but you should still inspect or pin third-party Python packages before installing.
Credentials
The environment variables referenced in SKILL.md and config (TUSHARE_TOKEN, QMT_ACCOUNT/QMT_PASSWORD, WH8_ACCOUNT/WH8_PASSWORD, PUSH_TOKEN/PUSH_CHAT_ID) are proportional to a trading skill: market-data tokens and broker credentials are expected. The concern is twofold: (1) the registry-level 'Requirements' in the submission initially reported 'none', but the SKILL.md requires TUSHARE_TOKEN and python3 — this discrepancy is confusing; (2) broker credentials are sensitive — give them only to code you trust and prefer paper-mode or separate accounts for testing.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or systemwide agent settings in the provided files. It runs as-needed scripts and supports simulated (paper) modes in the executors, which is appropriate for a trading toolkit.
What to consider before installing
This repository appears to be a real quant-trading toolkit and thus legitimately needs a market-data token (TUSHARE_TOKEN) and—if you want live trading—broker credentials for QMT/WH8/TB. Two things to check before installing or providing secrets: (1) metadata mismatch — confirm with the author/maintainer which env vars are actually required (the SKILL.md and config expect TUSHARE_TOKEN and optional broker creds, but registry metadata initially showed none); (2) never supply live broker credentials until you have audited the executor code and tested thoroughly in 'paper' (simulated) mode. Recommended steps: run everything in an isolated environment, inspect scripts executor_huaxin.py and executor_wenhua.py for network endpoints and behavior, use a throwaway/test trading account (or only connect to local test endpoints), keep real funds offline until manual review and paper testing succeed, and consider pinning/installing Python dependencies in a virtualenv to avoid supply-chain surprises.

Like a lobster shell, security has layers — review code before you run it.

aivk975tdae35dvkq5whd01g5j5zx83pnf3backtestvk97e48nsmgqtr63q7g0ad4j54x83r7tclatestvk972vdp1jr6zywp3vpw1pfwjhs84p39jquantvk97e48nsmgqtr63q7g0ad4j54x83r7tcstockvk97e48nsmgqtr63q7g0ad4j54x83r7tctradingvk975tdae35dvkq5whd01g5j5zx83pnf3v2.1vk97e48nsmgqtr63q7g0ad4j54x83r7tc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments