ClawHub
Back to skill
v1.0.0

ETF模拟交易回测系统

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:29 AM.

Analysis

The artifacts describe a coherent simulated ETF backtesting tool, with only purpose-aligned notes around external market-data access, optional scheduled execution, and undeclared runtime dependency details.

GuidanceThis appears safe to review as a simulated backtesting helper, not a real trading bot. Before installing or running it, be aware that it relies on external market-data endpoints, may need Python dependencies that are not declared, and should only be scheduled with cron if you intentionally want automatic daily analyses.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityInfoConfidenceHighStatusNote
SKILL.md
可通过Cron设置每日定时执行:- 9:30 开盘分析 - 14:50 尾盘确认 - 15:00 收盘复盘

The documentation suggests optional scheduled execution. It is disclosed and user-directed, but scheduled jobs are a form of persistence if the user sets them up.

User impactIf you configure cron, the script can run automatically on a schedule and produce trading analyses without a fresh manual prompt each time.
RecommendationOnly add scheduled jobs intentionally, review the exact cron commands first, and remove them when you no longer want automatic runs.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
scripts/trade.py
import requests

The script depends on Python's requests package, but the metadata and install specification do not declare runtime dependencies. This is a completeness/provenance note, not evidence of malicious behavior.

User impactThe skill may not run in an environment where Python dependencies are not already available, and users may need to decide how to install missing packages.
RecommendationBefore running the script, confirm the Python environment and install dependencies from trusted package sources.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/trade.py
url = f"http://push2.eastmoney.com/api/qt/stock/get" ... resp = requests.get(url, params=params, timeout=5)

The script retrieves market data from an external provider over HTTP. This is aligned with the backtesting purpose, but the data source and transport affect the integrity of generated signals and reports.

User impactThe tool may send the queried stock or ETF code to Eastmoney and base simulated trading reports on data returned by that provider.
RecommendationUse the tool only with data sources you trust, and consider verifying important results against another market-data source before relying on them.