ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stock Pattern Screener

v0.3.3

使用7种技术形态检测器(杯柄、三周紧绑、高紧旗、VCP、NR7等)按确定性顺序扫描股票池,支持跨检测器评分校准与置信度聚合排序。

0· 88·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/stock-pattern-screener.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Stock Pattern Screener" (tangweigang-jpg/stock-pattern-screener) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/stock-pattern-screener
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stock-pattern-screener

ClawHub CLI

Package manager switcher

npx clawhub@latest install stock-pattern-screener
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the SKILL.md content are coherent: this is a stock-pattern screening/backtest blueprint that references data collection, pattern detectors, scoring, and an API surface. However, metadata/instructions claim the host needs Python 3.12+ and uv package manager and the SKILL.md (and references/LOCKS.md) require zvt and a ZVT_HOME directory — yet the skill's declared requirements list 'none'. That mismatch (no declared binaries/envs but explicit runtime dependencies in the text) is inconsistent and should be resolved.
!
Instruction Scope
SKILL.md and seed.yaml instruct the agent to run precondition checks (e.g., python3 -c 'import zvt' and pip install zvt if missing) and to read/reload seed.yaml on decision points. Those runtime steps can cause network access (pip), write access to user dirs (~/.zvt), and execution of arbitrary Python packages. The instructions also include semantic locks and many preconditions that require reading/writing host files. While these are plausible for a screening/backtest skill, they expand the agent's scope beyond purely read-only analysis and should be explicitly disclosed and approved by the user.
Install Mechanism
There is no install spec (instruction-only), which is lowest-risk on disk at install time. But the seed.yaml execution protocol references host install recipes and SKILL.md tells the agent to run pip install zvt when preconditions fail — so installation may happen at runtime. The skill does not provide a controlled install recipe or indicate trusted package sources; that asymmetry is noteworthy.
Credentials
Declared required env vars: none. In practice, instructions reference ZVT_HOME and check filesystem permissions; the skill will also prompt for data source choices (eastmoney, joinquant, akshare, qmt) some of which require API accounts/keys. The skill does not declare these credentials up front, which is inconsistent and could lead the agent to request or expect secrets during use. No explicit unrelated secrets are requested, but the lack of a clear credential policy is a gap.
Persistence & Privilege
always:false (good). The skill can be invoked autonomously per platform defaults (not flagged alone). However seed.yaml contains an execution protocol that mandates re-reading seed.yaml on behavioral decisions and references workspace and skills paths; combined with the preconditions that may create ~/.zvt and install packages at runtime, the skill can end up persisting data and installing packages during normal operation. This is reasonable for a data pipeline tool but should be presented to the user as a permissioned action.
What to consider before installing
This skill appears to be a genuine stock-pattern screening/backtest blueprint, but there are important mismatches and runtime behaviors to consider before installing or running it: - Expect runtime dependency installation: SKILL.md and references require Python 3.12+, the 'uv' manager, and the zvt package. Although the registry shows no required env or install steps, the skill's preconditions instruct the agent to run pip install zvt and initialize ~/.zvt. Treat those runtime installs as network activity and potential code execution. - File-system writes: The skill will check and may create/modify a ZVT_HOME directory (~/.zvt) and relies on host workspace paths referenced in seed.yaml. If you allow it to run, do so in a sandbox or VM if you don't want it touching your real home/workspace. - No upfront credential disclosure: The skill prompts for data providers (eastmoney, joinquant, akshare, qmt). Some providers require API keys/accounts (joinquant, brokers). Do not supply API keys or secrets until you verify precisely where/how they will be used; prefer ephemeral or read-only test credentials. - Ask for clarification / request explicit install manifest: Request the author supply a clear install spec (exact pip/uv packages and trusted sources) and a list of environment variables/credentials the skill will ever ask for. If you cannot verify, run the skill only in an isolated environment. - Audit seed.yaml and references: The skill's seed.yaml contains runtime rules (must re-read seed.yaml before decisions) and execution protocols. Review references/seed.yaml and references/LOCKS.md to ensure the 'semantic locks' and preconditions align with your expected workflow. If you plan to proceed: run the skill in a disposable environment (container/VM) first, deny network access if you want to inspect behavior offline, and do not provide production credentials or access to real trading accounts until you have full visibility into what it executes.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk97at29tt6pdva2292639kq9zh85czbkfinancevk97at29tt6pdva2292639kq9zh85czbklatestvk97at29tt6pdva2292639kq9zh85czbk
88downloads
0stars
3versions
Updated 5d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

股票形态筛选 (stock-pattern-screener)

使用7种技术形态检测器(杯柄、三周紧绑、高紧旗、VCP、NR7等)按确定性顺序扫描股票池,支持跨检测器评分校准与置信度聚合排序。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (30 total)

FastAPI Application Bootstrap (UC-001)

Provides the main FastAPI application entry point with CORS middleware, dependency injection wiring, and runtime service initialization for the Hermes Triggers: api, server, start

Server Authentication Service (UC-005)

Provides single-user server authentication helpers including token encoding, decoding, expiration checking, and HMAC signature validation for securing Triggers: auth, authentication, token

Setup Engine Pattern Detection (UC-014)

Detects chart patterns (VCP, Cup-with-Handle, NR7, etc.) using normalized scoring and cross-detector calibration for trade setup quality assessment Triggers: setup, pattern, vcp

For all 30 use cases, see references/USE_CASES.md.

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-082. Evidence verify ratio = 20.6% and audit fail total = 13. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md0 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-082 blueprint at 2026-04-22T13:00:32.580572+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...