ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

quantaxis-data-platform

v0.3.0

提供 A 股市场的因子计算、存储与 tear sheet 分析能力,支持 Pandas/Polars 零拷贝数据转换和 QIFI 账户回测模拟,适用于多数据源量化研究。触发场景:(1) 用户要计算并存储 MA5 移动平均因子到 ClickHouse;(2) 用户要对预计算因子生成可视化 tear sheet 分析...

0· 0·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes support for ZVT/QIFI, Polars zero-copy bridges, ClickHouse storage and examples referencing QuantAxis/ZVT/QARS. The provided install script installs common infra libraries (pymongo, motor, clickhouse-driver, redis, pandas, numpy, pyarrow, requests, tornado, pika) but notably does NOT install polars, zvt, quantaxis, qifi/qars bindings or any explicit ClickHouse/ClickHouse ORM wrappers beyond clickhouse-driver, nor does it pin versions. This is an incoherence: either the skill expects those packages to already exist on the host, or the install script is incomplete.
Instruction Scope
Runtime instructions center on running scripts/install.sh and following many project preconditions (seed.yaml contains explicit precondition checks to run zvt, initialize dirs, run recorders). The SKILL.md references external data providers (eastmoney, joinquant, akshare, qmt) which imply network calls and possible credential use, but the SKILL.md itself does not request or declare any environment secrets. The instructions do not ask the agent to read unrelated host secrets or arbitrary system paths, but they do rely on re-reading seed.yaml and running host pip operations—this grants the agent broad leeway to alter the environment during setup.
!
Install Mechanism
The included scripts/install.sh uses pip to install multiple packages without version pins and does so globally (no virtualenv activation). Pip installs from PyPI are a common but non-trivial install mechanism: they can downgrade/upgrade system packages, change interpreter state, and have side effects. There are no downloads from arbitrary URLs, which reduces high-risk concerns, but the lack of environment isolation and missing packages (see purpose_capability) are problematic.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for an instruction-only skill. However, its documented use cases interact with external data providers and broker APIs (some require account credentials). The skill does not request those credentials up front—so users will need to provide them at runtime—but nothing in the files asks for unrelated secrets. This is proportional but the omission of any declared env-vars while depending on external services may lead to ad-hoc credential prompts.
Persistence & Privilege
always: false and normal agent invocation settings. The skill does not assert persistent system-wide privileges or modifications to other skills. Its install script will alter the Python environment by installing packages, but it does not modify other skills' configs or declare 'always' privilege.
What to consider before installing
Key points before installing or running this skill: - Incoherent/missing dependencies: The documentation promises Polars zero-copy bridges and ZVT/QIFI integration, but scripts/install.sh does not install polars, zvt, quantaxis or other project-specific packages. Expect to manually install additional packages (and confirm exact package names/versions) before use. - Run installs in isolation: The install script uses global pip (no venv). Run it inside a Python virtual environment or container to avoid downgrading or breaking your system/other projects. - Review and pin versions: The script installs packages without version pins. Consider pinning known-good versions to avoid surprises. - Credentials and network access: The skill will contact external data providers (eastmoney, joinquant, akshare, brokers). Prepare credentials where required and verify you consent to any data transmission; the skill does not declare or request these env vars upfront. - Audit behavior you care about: If you plan to run backtests that could interact with real broker/test APIs, verify the examples (QIFI/QARS) and be certain they won't submit live orders. The skill includes examples for schedulers, MQ (pika), Redis, and Mongo — confirm you want those services reachable from your environment. - License and provenance: The package claims a proprietary license and has no homepage/source URL. If provenance matters, ask the publisher for source code, a canonical repo, or a signed release. Lack of an authoritative source reduces trust. If you want, I can: - list exact missing packages implied by the SKILL.md (e.g., polars, zvt, quantaxis) and propose a safer install script using a virtualenv and pinned versions; - extract the precondition commands the skill will run so you can preview potential system commands before execution.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk974xvryp4az48exws3sf5fgnn85d5a6financevk974xvryp4az48exws3sf5fgnn85d5a6latestvk974xvryp4az48exws3sf5fgnn85d5a6
0downloads
0stars
1versions
Updated 3h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

quantaxis-data-platform

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (8 total)

Moving Average Factor Computation (UC-101)

Computes and stores a 5-day moving average (MA5) factor for daily stock data, enabling technical indicator analysis across multiple stocks using Click Triggers: factor, moving average, MA5

Factor Tear Sheet Analysis (UC-102)

Retrieves pre-computed MA5 factor data from ClickHouse and generates comprehensive tear sheets for factor performance analysis and visualization in re Triggers: tear sheet, factor analysis, visualization

Zero-Copy Data Bridge Conversion (UC-103)

Demonstrates efficient zero-copy conversion between Pandas and Polars dataframes, and shared memory-based cross-process data transmission for high-per Triggers: pandas, polars, conversion

For all 8 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-090. Evidence verify ratio = 67.7% and audit fail total = 30. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-090 blueprint at 2026-04-22T13:00:37.999318+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...