ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rqalpha Cn Backtest

v0.3.3

基于20日价格动量在沪深300、沪深500与国债之间自动轮转配置,通过RQAlpha框架执行完整回测并评估组合绩效。

0· 85·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/rqalpha-cn-backtest.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Rqalpha Cn Backtest" (tangweigang-jpg/rqalpha-cn-backtest) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/rqalpha-cn-backtest
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install rqalpha-cn-backtest

ClawHub CLI

Package manager switcher

npx clawhub@latest install rqalpha-cn-backtest
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Purpose (backtesting A‑share rotation strategy via RQAlpha/ZVT) matches the included content (lots of domain constraints, anti‑patterns, pipelines). However SKILL.md claims runtime requirements (Python 3.12+ and 'uv' package manager, Doramagic-host compatibility, compiled blueprint v6.1) that are not reflected in the registry metadata (no required binaries, no install spec). Also the skill references third‑party data providers (joinquant, eastmoney, akshare) where credentials may be needed but no credentials are declared.
!
Instruction Scope
SKILL.md and seed.yaml instruct the agent to run precondition commands (python checks, pip install zvt if missing), to re-read seed.yaml at runtime, and to create/write files under ZVT_HOME (~/.zvt). They also direct the agent to choose data providers that can require account tokens. These are normal for a backtest helper, but the instructions give the agent permission to run shell/Python commands and write to disk; the skill does not clearly limit or declare those operations in the manifest.
!
Install Mechanism
The registry shows no install spec and no code files (instruction‑only), but seed.yaml's execution_protocol and SKILL.md expect the host/agent to perform installs/verification (pip installs, verify packages). That mismatch (no declared install steps vs instructions that perform installs) is an inconsistency and increases risk because the agent could be instructed to run arbitrary package installs at runtime.
!
Credentials
The skill declares no required environment variables, yet the SKILL.md and preconditions reference ZVT_HOME and data providers (joinquant, brokers) that commonly require credentials. The skill may prompt the agent/user for provider credentials at runtime but has not declared or scoped them in the manifest; this is a proportionality/visibility gap.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does instruct the agent to re-read seed.yaml on every behavioral decision and to write into ~/.zvt as part of precondition checks; this gives the skill runtime persistence (filesystem writes) but not elevated platform privileges or forced always-on inclusion. No evidence it modifies other skills or global agent settings.
What to consider before installing
This skill appears coherent with a backtesting helper, but there are important mismatches you should address before installing or granting the agent permission to run it: - Expect the agent to run Python commands and possibly pip install packages (e.g., zvt). Run these installs yourself in a controlled environment (virtualenv/container) rather than letting the agent run them automatically. - The skill references ZVT_HOME (~/.zvt) and will attempt to write there as a precondition test; ensure you are comfortable with that path and permissions or set ZVT_HOME to an isolated directory. - If you plan to use paid data providers (joinquant, brokers), the skill will need credentials — the package manifest does not declare these env vars. Do not paste credentials into a conversation; prefer configuring them in the host's secret store and only grant minimal-scoped tokens. - Ask the publisher for a concrete install spec and a list of required env vars (jqdatasdk tokens, broker API keys) and for a minimal reproducible example of the exact shell/python commands the agent will run. The current mismatch (no install spec vs SKILL.md that runs installs) is the main reason this is flagged suspicious. If you want to proceed safely: run the skill locally inside an isolated VM/container, manually perform and inspect the prereq installs, set ZVT_HOME to a disposable directory, and do not provide credentials until you confirm what calls will be made and where data will be transmitted.

Like a lobster shell, security has layers — review code before you run it.

analyticsvk97f2tfqr14ht3qbg6njbx1yqd85cf3bdoramagic-crystalvk97f2tfqr14ht3qbg6njbx1yqd85cf3bfinancevk97f2tfqr14ht3qbg6njbx1yqd85cf3blatestvk97f2tfqr14ht3qbg6njbx1yqd85cf3bportfoliovk97f2tfqr14ht3qbg6njbx1yqd85cf3bquantvk97f2tfqr14ht3qbg6njbx1yqd85cf3briskvk97f2tfqr14ht3qbg6njbx1yqd85cf3b
85downloads
0stars
3versions
Updated 4d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
analyticsdoramagic-crystalfinancelatestportfolioquantrisk
Download

RQAlpha A 股回测 (rqalpha-cn-backtest)

基于20日价格动量在沪深300、沪深500与国债之间自动轮转配置,通过RQAlpha框架执行完整回测并评估组合绩效。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (2 total)

Index Futures Momentum Rotation Strategy (UC-101)

Implements a momentum-based rotation strategy between equity indices (CSI 300, CSI 500) and government bonds, automatically rebalancing to the best-pe Triggers: momentum rotation, index futures, equity bond allocation

Sphinx Documentation Configuration (UC-102)

Configuration file for building rqalpha project documentation using Sphinx, setting up autodoc, autosummary, and other documentation extensions Triggers: documentation, sphinx, configuration

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-089. Evidence verify ratio = 44.4% and audit fail total = 12. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-089 blueprint at 2026-04-22T13:00:37.233732+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...