Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily Stock Analyzer

v0.1.0

基于 Qlib 的 A 股自选股智能分析系统,集成 LLM Agent ReAct 推理引擎和技术指标择时模块(MA 多头排列、乖离率阈值严进策略),自动生成每日 buy/hold/sell 指令并推送至微信。触发场景:(1) 用户要查询自选股当天的 AI 交易信号和涨跌预测;(2) 用户要获取符合 MA 多头排...

0· 19·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/daily-stock-analyzer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily Stock Analyzer" (tangweigang-jpg/daily-stock-analyzer) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/daily-stock-analyzer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install tangweigang-jpg/daily-stock-analyzer

ClawHub CLI

Package manager switcher

npx clawhub@latest install daily-stock-analyzer
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description and files disagree about core platform: the skill title/description and some text say '基于 Qlib' while SKILL.md and human_summary repeatedly reference ZVT (different ecosystems). The skill also lists capabilities (REST API, FastAPI, Server酱3 push, multiple data recorders) that legitimately require external API keys and local Python environment setup, but the registry metadata declares no required binaries or env vars. This mismatch (claimed capabilities vs declared requirements) is incoherent.
!
Instruction Scope
SKILL.md and seed.yaml describe runtime behavior that goes beyond a simple question–answer skill: precondition checks run python -c commands that import zvt and may create/read ~/.zvt, data fetchers will call eastmoney/Tushare/AkShare/joinquant, and notification components reference Server酱3/WeChat. The instructions implicitly require reading/writing local config and contacting many external endpoints; however those env vars/credentials are not declared in the registry. The seed.yaml execution_protocol also mandates re-reading seed.yaml and running install/precondition steps, giving the agent discretion to run system commands — this is broader than the registry claims.
Install Mechanism
There is no install spec (instruction-only), which lowers risk of arbitrary downloads. However SKILL.md metadata says 'Requires Python 3.12+ with uv package manager' and seed.yaml's execution_protocol refers to running install_recipes and verifying imports. The absence of an explicit, reproducible install recipe is an inconsistency that could lead to the agent attempting ad‑hoc pip installs at runtime.
!
Credentials
The skill references many external services that normally require secrets (Tushare/JoinQuant API keys, Server酱3/WeChat push keys, database credentials, possibly LLM provider keys and ZVT_HOME). Yet the registry shows no required env vars or primary credential. Required env/configs are missing from the manifest (under‑declared), which is disproportionate and risky because the agent may prompt for or try to access secrets at runtime without clear constraints.
Persistence & Privilege
always:false and no install means the skill does not request forced, permanent inclusion. That said, seed.yaml and SKILL.md instruct precondition checks that may create or write to ~/.zvt and imply the agent can run pip install / zvt.init_dirs — the skill could therefore create local state during execution. This is not an explicit privilege escalation but it is behavior to verify before granting runtime access.
What to consider before installing
Do not install or run this skill without clarifying the inconsistencies. Ask the author to: (1) confirm whether the implementation uses Qlib or ZVT (they are different ecosystems) and provide a clear README; (2) list required environment variables (Tushare/JoinQuant/Server酱3/WeChat/DB/LLM keys) and justify each; (3) provide an explicit, safe install procedure (no arbitrary remote downloads) or a pinned requirements file; (4) confirm what precondition commands will run (the SKILL/seed.yaml mentions python -c checks that may create ~/.zvt and run pip install); (5) test the skill in an isolated sandbox with no production credentials and review any generated network calls. If you must try it, run it in a VM or container with restricted network access and no sensitive credentials until the above are resolved.

Like a lobster shell, security has layers — review code before you run it.

aivk970qnd9jrerh2z6jkap526vsx85dg7qdoramagic-crystalvk970qnd9jrerh2z6jkap526vsx85dg7qfinancevk970qnd9jrerh2z6jkap526vsx85dg7qlatestvk970qnd9jrerh2z6jkap526vsx85dg7qquantvk970qnd9jrerh2z6jkap526vsx85dg7q
19downloads
0stars
1versions
Updated 8h ago
v0.1.0
MIT-0

daily-stock-analyzer

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (9 total)

A股自选股智能分析系统主调度 (UC-101)

协调各模块完成股票分析流程,实现低并发的线程池调度,全局异常处理确保单股失败不影响整体分析任务 Triggers: 股票分析, 调度, 线程池

RESTful API 后端服务 (UC-102)

提供RESTful API服务支持CORS跨域访问,同时托管前端静态文件用于生产环境部署 Triggers: API服务, 后端, FastAPI

LLM Agent ReAct执行循环 (UC-103)

提供LLM Agent的ReAct执行循环,支持可插拔的进度回调、消息历史和结果处理,实现工具调用与LLM推理的迭代执行 Triggers: LLM Agent, ReAct, 工具调用

For all 9 use cases, see references/USE_CASES.md.

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-004. Evidence verify ratio = 52.9% and audit fail total = 25. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md0 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-004 blueprint at 2026-04-22T11:38:26.686045+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...