ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

quantlib-derivatives

v0.3.0

通过 SWIG 绑定调用 QuantLib 引擎,完成期权、互换、债券等金融衍生品的定价计算,支持美式期权有限差分法和篮子价差期权等多资产策略验证。 触发场景:(1) 用户要用 Python 快速计算美式期权和量子期权的公允价格;(2) 用户要对三资产篮子价差期权进行定价验证和相关性分析;(3) 用户要计算固定利...

0· 0·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md state it uses QuantLib via SWIG and is tightly coupled with ZVT and Doramagic host semantics. However the provided install script only pip-installs general Python packages (pandas, numpy, matplotlib, requests, scipy, scikit-learn, pytest) and does not install QuantLib (python-QuantLib / quantlib-swig), SWIG, or the ZVT package referenced throughout the docs. No system-level build/install steps for native C++ bindings are present. This is disproportionate: a QuantLib-SWIG integration would normally require native library packages or a python binding package and possibly a C/C++ toolchain.
!
Instruction Scope
SKILL.md instructs running scripts/install.sh and contains many domain-specific preconditions and semantic locks (in references/LOCKS.md and seed.yaml). Those preconditions reference running python checks that read/modify a ~/.zvt directory and require zvt to be importable. The skill text and included seed.yaml also instruct the host to reload seed.yaml before decisions. The instructions therefore imply reading local files and touching user data directories, but the SKILL.md does not declare those file access expectations explicitly. The runtime instructions do not attempt to obtain QuantLib/ZVT but will likely fail or prompt for further installs — leaving the agent discretion to run additional commands (scope creep).
Install Mechanism
There is a scripts/install.sh that uses pip to install pinned/unpinned packages from PyPI (moderate risk but common). The install approach does not download arbitrary archives or run remote installers. However the install script omits installing the declared core components (QuantLib bindings, SWIG, zvt) required by the skill, so it is incomplete rather than overtly dangerous. The pip targets include a questionable constraint ('scikit-learn>1.4.2') which may be unusual but not necessarily malicious.
!
Credentials
The skill declares no required environment variables or credentials, yet the included references and preconditions mention ZVT_HOME and expect to read/write ~/.zvt and to import zvt. SKILL.md also states Python 3.12+ with an 'uv' package manager. Because the instructions reference environment/state (ZVT home, evaluation of python imports) that are not declared in requires.env, there is a mismatch between claimed environment footprint and what runtime behavior will need.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. There is no evidence it will modify other skills or system-wide agent settings. The agent may run the provided install script which writes into the Python environment, but that is confined to normal package installation behavior.
What to consider before installing
This package looks incomplete rather than overtly malicious. Before installing, note that: - The skill promises QuantLib/SWIG integration and ZVT-based workflows, but the install script does not install QuantLib bindings, SWIG, or zvt. Ask the author how QuantLib and ZVT should be installed (system packages, python wheel, conda, or explicit build steps). - The install script will pip-install several packages. Run it inside a controlled virtualenv or container to avoid polluting your system Python. - The included references (seed.yaml, LOCKS, preconditions) expect the agent to read files and to create/check ~/.zvt. If you have sensitive files in your home directory, be aware the skill may touch that path during precondition checks. - No credentials are requested, so there is low immediate risk of secret exfiltration, but the mismatch between declared requirements and actual functionality means the skill may prompt for additional commands or installs at runtime — review any such prompts carefully. - If you need this functionality, request a clarified install manifest that explicitly installs QuantLib (or python-QuantLib/quantlib-swig), documents required system libraries/toolchain, and lists any environment variables or file paths it will read/write. If the author cannot provide that, treat the skill as incomplete and avoid running it on production hosts.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk9783bzyq71f4spr7bdssqpd3x85drg0financevk9783bzyq71f4spr7bdssqpd3x85drg0latestvk9783bzyq71f4spr7bdssqpd3x85drg0
0downloads
0stars
1versions
Updated 3h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

quantlib-derivatives

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (35 total)

Market Element Observability Test (UC-101)

Verifies that market quotes (SimpleQuote) properly notify registered observers when their values change, ensuring reactive pricing systems work correc Triggers: market element, observer pattern, quote observability

Joint Nordic Calendar Holidays Test (UC-109)

Tests joint calendar functionality combining multiple country calendars to determine valid business days for cross-border trading Triggers: joint calendar, holidays, business days

Currency Constructor Test (UC-113)

Tests currency class construction including default, standard (EUR), and bespoke currencies for multi-currency instrument pricing Triggers: currency, multi-currency, currency constructor

For all 35 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (15 total)

  • AP-DERIVATIVES-PRICING-001: Instrument NPV called without attached pricing engine
  • AP-DERIVATIVES-PRICING-002: BSM forward price ignores dividend yield
  • AP-DERIVATIVES-PRICING-003: Negative discount factors passed to log-domain interpolation

All 15 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-123. Evidence verify ratio = 10.2% and audit fail total = 9. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md15 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-123 blueprint at 2026-04-22T13:01:00.865366+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...