!
Purpose & Capability
Name/description present an MCP Python SDK reference implementation, but metadata and included files (human_summary.md and references/seed.yaml) are a compiled finance blueprint (finance-bp-140) describing ZVT backtests, Doraemon persona, and finance-specific tooling. This mismatch between declared purpose and actual content is incoherent.
!
Instruction Scope
SKILL.md and seed.yaml instruct the host agent to reload seed.yaml, run precondition checks (python3 -c 'import zvt' etc.), execute install triggers, and read LATEST.yaml/LATEST.jsonl — actions that touch the filesystem, run shell/python commands, and may trigger package installs. Those runtime actions go beyond a simple documentation skill and reference finance-specific runtime checks not declared in the skill header.
ℹ
Install Mechanism
There is no install spec (instruction-only), which minimizes delivery-time risk; however seed.yaml includes install_trigger and host_adapter.install_recipes[] references meaning the agent is expected to run installs on the host at runtime. Because no explicit install recipe is packaged, the actual install behavior depends on agent implementation and could lead to unexpected package installs.
!
Credentials
The skill declares no required env vars or config paths, yet seed.yaml and preconditions reference environment state (ZVT_HOME), python/pip availability, and services (eastmoney, OAuth flows in intent_router). Credentials or environment requirements are not declared, which is disproportionate and hides needed permissions/resources.
✓
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/always-on privileges or modify other skills. Autonomous invocation is allowed by default and not an added flag here.
Scan Findings in Context
[no_regex_findings] unexpected: Scanner found no code files to analyze (instruction-only). The lack of findings is expected for an instruction-only skill, but provides limited signal — the real risk is in the SKILL.md/seed.yaml instructions.
What to consider before installing
This package is inconsistent: it presents as an MCP SDK but includes a compiled finance blueprint that tells the agent to run Python checks, install recipes, and rely on ZVT and environment paths that aren't declared. Before installing or running it, (1) verify you actually intended a finance/backtest blueprint rather than an MCP SDK, (2) open and read references/seed.yaml and human_summary.md in full to see the exact commands and preconditions, (3) do not let an agent run install or shell commands from this skill in a production environment — run them manually in a sandbox first, (4) confirm any required env vars (e.g., ZVT_HOME, API tokens) and package installs (zvt, pywin32, AnyIO, Starlette) and only provide secrets that are strictly necessary, and (5) ask the author to correct the skill metadata (declare required binaries/env, or remove unrelated finance content) — that clarification would materially reduce the risk and could change the assessment to benign.
