ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

yfinance-market-data

v0.3.0

通过 Yahoo Finance 获取全球多市场股票、指数、外汇及加密货币的历史行情、财务数据、实时报价和财务日历。触发场景:(1) 用户要查询某只股票过去一年的日K线走势;(2) 用户要输入公司名称模糊匹配查找对应的股票代码;(3) 用户要获取多个市场的行情数据进行横向对比。

0· 16·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description emphasize Yahoo Finance; most runtime text and use-cases focus on ZVT and Chinese data sources (eastmoney, akshare, baostock, joinquant) and A-share workflows. The skill metadata demands Python 3.12+ and an 'uv' package manager, yet the provided install.sh uses python3 -m pip. The skill expects ZVT (preconditions reference import zvt and zvt.recorders) but the install script does not install zvt. This mismatch between declared purpose and actual components/instructions is incoherent.
!
Instruction Scope
SKILL.md instructs running scripts/install.sh (safe) but the seed/locks/preconditions require the agent to re-read seed.yaml and run Python precondition checks that import zvt and probe/set ZVT_HOME (including a write test). Those preconditions will read and potentially create files under the user's ZVT_HOME (default ~/.zvt). The skill's runtime policy also prescribes semantic locks and behavior checks that may cause the agent to run local python commands and recorders (e.g., zvt.recorders.em.em_stock_kdata_recorder). Because zvt isn't installed by the script and no env vars are declared for provider tokens, the runtime instructions are ambiguous and could trigger unexpected filesystem and network activity if executed.
Install Mechanism
The only install is scripts/install.sh which calls pip to install common PyPI packages (pandas, numpy, requests, beautifulsoup4, curl_cffi, etc.). This is a relatively low-risk, traceable install method (no remote arbitrary archives). However it will modify the host Python environment; running it in a global environment can affect system packages. The script does not install zvt, despite runtime expectations.
!
Credentials
requires.env lists none, and no primary credential is declared — yet the SKILL.md and seed files reference data sources that commonly require tokens (joinquant, tushare, paid providers) and rely on ZVT_HOME environment variable. The preconditions check and write-test reference ZVT_HOME. The absence of declared env vars for provider tokens or for ZVT_HOME is inconsistent and leaves ambiguous what secrets or configuration the skill will actually need at runtime.
Persistence & Privilege
always:false and model invocation is allowed (normal). The skill will read many bundled reference files and its preconditions may create/write a small test file in ZVT_HOME (~/.zvt) if that precondition runs. The install script will pip-install packages into the host Python environment (persistent change). No attempt to modify other skills' configs or force-enable itself is present.
Scan Findings in Context
[AP-DATA-SOURCING-011] expected: This rule (Yahoo Finance crumb/cookie auth) appears in the repository anti-patterns. It's expected for any Yahoo-Finance related integration and indicates the skill knows crumb handling is required — but SKILL.md doesn't show a concrete crumb-handling implementation and the instruction set is silent on how to manage those cookies/crumbs.
[AP-DATA-SOURCING-009] expected: Timezone-aware DatetimeIndex warning is present in anti-patterns. For a historical-price skill this is a valid concern; the repo notes the issue but we don't see explicit enforcement code in SKILL.md or in the install script.
[AP-DATA-SOURCING-003] expected: No-HTTP-timeout anti-pattern appears in references. The skill's libraries (requests/curl_cffi) can make network calls — the presence of this anti-pattern in references is a caution to check that HTTP timeouts and retry logic are implemented.
What to consider before installing
This skill is internally inconsistent: the name/description emphasize Yahoo Finance, but most files and use-cases target ZVT and A-share data sources. Before installing or running it: (1) Ask the publisher which runtime is authoritative (yfinance vs. ZVT). (2) Do not run scripts/install.sh in your system Python — run it inside an isolated virtualenv or container to avoid altering global packages. (3) Confirm whether zvt (and which version) is required; the install script currently does not install it but the preconditions expect it. (4) Expect the skill to read its bundled reference files and to probe/create ~/.zvt unless you set ZVT_HOME to a safe writable path. (5) If you will let the agent execute autonomously, require clarification about credential handling (provider API keys, crumb/cookie management) because no env vars are declared. If the publisher cannot explain these mismatches, treat the package as untrusted and refrain from running it on sensitive systems or networks.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk972carf0chzr4tns37dgej3e585dn3wfinancevk972carf0chzr4tns37dgej3e585dn3wlatestvk972carf0chzr4tns37dgej3e585dn3w
16downloads
0stars
1versions
Updated 3h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

yfinance-market-data

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (12 total)

Utility Function Validation (UC-101)

Ensures date/timezone parsing and validation utilities work correctly for handling mixed timezone data from financial APIs Triggers: timezone, datetime, validation

Historical Price Data Retrieval (UC-105)

Fetches historical price and volume data for securities across multiple intervals (daily, weekly, monthly) and time periods Triggers: price history, historical data, OHLCV

Price Data Repair and Resampling (UC-107)

Corrects corrupted or misaligned price data and resamples data between different time intervals while maintaining data integrity Triggers: repair, fix data, resample

For all 12 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (14 total)

  • AP-DATA-SOURCING-001: Missing or invalid User-Agent headers for SEC API requests
  • AP-DATA-SOURCING-002: Ignoring external API rate limits causing IP blocking
  • AP-DATA-SOURCING-003: No HTTP timeout configuration causing indefinite hangs

All 14 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-128. Evidence verify ratio = 29.8% and audit fail total = 3. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md14 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-128 blueprint at 2026-04-22T13:01:04.148127+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...