ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Insurance Loss Reserving

v0.3.2

用 chainladder-python 做精算损失准备金估算:从历史理赔三角到 IBNR 准备金、 尾部参数拟合。支持再保险 / 巨灾 / 一般责任险多产品线。

0· 30·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and top description say 'chainladder-python' for actuarial loss reserving, but SKILL.md, human_summary.md and seed.yaml are dominated by ZVT quant-trading concepts (data recorders, MACD, trading_execution, entity_id formats) and semantic locks for trading. This mismatch suggests either a mislabeled/merged artifact or intentional misdirection: requested capabilities (trading, data recorders, pip-install of zvt, next-bar execution) do not align with a pure actuarial reserving tool.
!
Instruction Scope
Although there is no code, SKILL.md and seed.yaml instruct the agent to run runtime checks and commands (e.g., python import checks, pip install zvt, run zvt.recorders, read references/seed.yaml) and require reading many local reference files. The instructions reference system paths (ZVT_HOME, ~/.zvt) and tell the agent to run tooling that may install packages, create directories, and fetch external market data — which is beyond a simple 'compute loss reserves' skill and not justified by the declared metadata.
!
Install Mechanism
There is no formal install spec (instruction-only), but seed.yaml and SKILL.md explicitly instruct running installation commands (pip install zvt) and running recorders. That means runtime will attempt to install third-party packages with no vetted install recipe declared in the skill manifest. Instruction-driven installs are higher-risk because they run arbitrary package installs at runtime and are not surfaced in requires.install.
!
Credentials
The skill declares no required env vars or credentials but instructions reference and require ZVT_HOME and suggest using data providers that typically need credentials (joinquant, qmt). The skill also references writing to ~/.zvt and running recorders that may require network credentials — asking for or using such secrets is not declared in metadata, so environment/credential needs are under-specified and disproportionate to the manifest.
!
Persistence & Privilege
always:false (good) but the execution protocol in seed.yaml mandates re-reading seed.yaml and running precondition commands that can create directories, touch files (~/.zvt), and run pip installs. The skill would therefore modify host state at runtime (install packages, initialize data directories) despite lacking an explicit install step and without declaring elevated privileges. Combined with trading-related semantic locks (which imply external execution semantics), this broad host interaction increases risk.
What to consider before installing
This skill package is internally inconsistent: the label says 'insurance loss reserving' but most runtime instructions and reference files are for a ZVT quant-trading pipeline and include commands that install packages and manipulate ~/.zvt. Before installing or enabling this skill: 1) Ask the publisher to clarify the intended purpose and provide a corrected SKILL.md (actuarial vs trading). 2) Require an explicit install spec that lists exact packages and trusted sources (no ad-hoc pip at runtime). 3) Do NOT provide broker/API credentials (joinquant/qmt) or cloud secrets until the skill explicitly declares them and explains why they are needed. 4) If you must evaluate, run the skill in an isolated sandbox (container/VM) with no access to your real accounts or home directory. 5) Ask the author to declare required environment variables and show exactly what filesystem changes the skill will make (e.g., writes to ~/.zvt). 6) If the skill is intended to trade/execute orders, treat it with high caution — require full proof of broker integration, signing, and a safe test mode. Providing any credentials or allowing automatic installs before these clarifications would be risky.

Like a lobster shell, security has layers — review code before you run it.

actuarialvk9785t9yh54tqtsyftjp0cfc1n85d2nrdoramagic-crystalvk9785t9yh54tqtsyftjp0cfc1n85d2nrfinancevk9785t9yh54tqtsyftjp0cfc1n85d2nrinsurancevk9785t9yh54tqtsyftjp0cfc1n85d2nrlatestvk9785t9yh54tqtsyftjp0cfc1n85d2nr
30downloads
0stars
3versions
Updated 3h ago
v0.3.2
MIT-0
Tang Weigang@tangweigang-jpg
actuarialdoramagic-crystalfinanceinsurancelatest
Download

保险损失准备金 (insurance-loss-reserving)

用 chain ladder 方法从历史理赔三角估算 IBNR 准备金——再保险、巨灾、 一般责任险都能跑。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (0 total)

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (15 total)

  • AP-INSURANCE-001: Implicit numeric format assumptions without validation
  • AP-INSURANCE-002: Triangle axis construction with invalid temporal ordering
  • AP-INSURANCE-003: Cumulative/incremental triangle representation misuse

All 15 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-063. Evidence verify ratio = 56.5% and audit fail total = 15. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md15 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-063 blueprint at 2026-04-22T13:00:20.366204+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...