Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A 股量化实验室

v0.1.0

A 股量化实验室:数据采集 + 因子研究 + 回测执行一站式(基于 zvt 框架)。覆盖 31 个场景:机构持仓追踪、财报采集、指数成分、MACD/MA/量能择时等。触发:A股回测、量化策略、因子研究、选股、zvt、跟基金持仓、机构持仓、A-share backtest, quant strategy。仅限中国...

0· 35·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (A‑share quant lab based on zvt) align with the files and instructions: many zvt-specific references, use cases, recorders, and provider mentions (eastmoney/joinquant/baostock/akshare). Asking for network access to those providers is expected for the stated functionality.
Instruction Scope
SKILL.md is instruction-heavy and expects you to run scripts/install.sh and to run python commands (zvt import checks, init_dirs). It requires network access to third‑party data providers (expected), and will create/require a ZVT_HOME (~/ .zvt) directory. The instructions also implicitly recommend pip installs if zvt is missing (in preconditions), which expands scope from 'read-only analysis' to modifying the runtime environment.
!
Install Mechanism
There is no formal install spec — the skill is instruction-only but includes scripts/install.sh. That script (not expanded here) may install Python packages and initialize ~/.zvt. The references even include anti-pattern notes about install scripts not using virtualenvs and polluting global Python installs. Because the install action is delegated to an included shell script and there is no explanation of whether it uses a venv, this is a moderate risk: running it could change global packages or write files system-wide. Also the required binary 'uv' (described as 'uv package manager' in SKILL.md) is nonstandard and unexplained, which is suspicious and should be clarified before running.
Credentials
The skill declares no required environment variables or secrets, and its network targets (eastmoney/joinquant/baostock/akshare) are consistent with the purpose. No credentials are requested in the manifest. This is proportionate to a data-collection/backtest tool. (If you plan to use paid providers like joinquant, you will need to supply their credentials externally; the skill does not declare such env vars.)
Persistence & Privilege
always is false and disable-model-invocation is default (agent may call autonomously). The skill will create/initialize its own zvt data directory (~/.zvt or ZVT_HOME) per its preconditions; that is expected for a data recorder/backtest tool and does not modify other skills or global agent configuration as declared.
What to consider before installing
This skill appears to be a compiled zvt-based A‑share quant toolkit and is largely coherent with its description, but stop and inspect the install script (scripts/install.sh) before running it. Prefer to: (1) open and review the script contents to confirm it only installs expected Python packages and doesn't fetch or run arbitrary executables; (2) run the install steps inside a dedicated Python virtual environment (venv/conda) to avoid global package changes; (3) clarify what 'uv' refers to and why it's required — do not install unknown system binaries as root; (4) be aware that the skill will access external data providers (eastmoney/joinquant/baostock/akshare) and create/write a zvt home directory (~/.zvt); (5) supply any paid-provider credentials yourself and verify the skill does not attempt to exfiltrate secrets. If you want, paste the contents of scripts/install.sh here and I can examine it for risky commands.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📈 Clawdis
Binspython3, uv
Primary envpython
a-sharevk977597pv2ks2kh32depzzmz6185bhhmfinancevk977597pv2ks2kh32depzzmz6185bhhmlatestvk977597pv2ks2kh32depzzmz6185bhhmquantvk977597pv2ks2kh32depzzmz6185bhhmzvtvk977597pv2ks2kh32depzzmz6185bhhm
35downloads
0stars
1versions
Updated 21h ago
v0.1.0
MIT-0

A 股量化实验室 (a-stock-quant-lab)

说出你要什么——"跟机构持仓"、"MACD 回测 2023 年"、"基于 SZ50 做因子研究",我直接写代码跑起来,不用你翻 zvt 文档。底层是 zvt 框架,覆盖 A 股 / 港股 / 数字货币;美股不建议用(zvt 美股数据质量一般)。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (31 total)

Actor Data Recorder (UC-101)

Collects institutional investor holdings and top 10 free float shareholders on a weekly schedule for tracking major player positions Triggers: institutional investor, top holders, actor data

Financial Statement Recorder (UC-102)

Collects fundamental financial data including balance sheets, income statements, and cash flow statements from eastmoney on a weekly basis Triggers: financial statements, balance sheet, income statement

Index Data Recorder (UC-103)

Collects index metadata, index compositions (SZ1000, SZ2000, growth, value indices), and daily index price data Triggers: index data, index composition, SZ1000

For all 31 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (47 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-200: Token 失效后数据查询返回空 DataFrame 而非报错

All 47 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-009. Evidence verify ratio = 55.0% and audit fail total = 36. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md47 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-009 blueprint at 2026-04-20T07:34:47.524525+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...