Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

abs-cashflow-modeling

v0.3.0

建模资产支持证券交易结构,模拟抵押贷款池现金流、债券分级偿还和瀑布分配,分析 tranche 收益与风险表现。 触发场景:(1) 用户要构建 ABS 交易模型,分析优先级债券和股权层的本息回收;(2) 用户要模拟 LIBOR 浮动利率抵押贷款池,查看利率重设期的现金流变化;(3) 用户要建模含阶梯利率的债券结构,...

0· 44·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description claim ABS cashflow and tranche modeling, but the SKILL.md and human_summary emphasize a ZVT-based A-share trading/backtest pipeline and many trading use cases. The metadata line "Requires Python 3.12+ with uv package manager" and heavy ZVT references are not reflected in the simple install script. The mix of ABS deal modeling and ZVT trading/backtest functionality is plausible for a broad finance package, but the package does not clearly justify or declare ZVT as a required dependency.
!
Instruction Scope
SKILL.md and seed.yaml instruct the agent to read many local reference files (seed.yaml, references/*) and to run preconditions that execute python -c commands (checking zvt, ZVT_HOME, recorders, etc.). Those preconditions access environment state and can prompt the agent to run pip installs or initialize directories. The skill's declared requirements list no env vars, yet instructions reference ZVT_HOME and other filesystem locations and tell the agent to run commands that modify local data directories — this expands the runtime scope beyond what the manifest declares.
Install Mechanism
The only install mechanism is scripts/install.sh which runs several python3 -m pip install calls for common packages (pandas, numpy, requests, toolz, lenses, graphviz, schema, htpy, dateparser, more-itertools). Packages are from PyPI (no suspicious URLs), but the script installs globally (no virtualenv) and does not install or verify zvt or the declared Python 3.12+ requirement. Global pip installs and lack of verification are a maintenance/security concern.
!
Credentials
The skill declares no required environment variables, but SKILL.md/seed.yaml/preconditions reference ZVT_HOME and expect zvt to be present. The preconditions include instructions that, on failure, tell the user/agent to run pip install zvt and initialize ~/.zvt. Access to ZVT_HOME and writing to user home are not declared up front — this is disproportionate and inconsistent with the manifest.
Persistence & Privilege
always:false and no explicit modification of other skills. However seed.yaml's execution_protocol mandates re-reading seed.yaml and running preconditions on execute, and preconditions may create/modify user directories (eg. ~/.zvt) or install additional packages. That behavior grants ongoing file-system effects when the agent follows the skill's runtime instructions; it's not automatically privileged but it does enable persistent local state changes.
What to consider before installing
This skill is internally inconsistent in ways worth checking before installing. Specifically: - Ask the owner/maintainer to clarify the primary purpose: ABS cashflow modeling or ZVT trading/backtest, and to reconcile the README/metadata. - The package references ZVT and expects Python 3.12+, but the install script does not install zvt or verify Python version. Expect the agent to prompt you to run python commands (including pip install zvt) and to create a ~/.zvt directory unless you change behavior. - The install script runs pip install globally. Install in an isolated virtual environment (venv/conda) or container to avoid modifying your system Python environment. - The skill will read its seed.yaml and many references at runtime; review those files (seed.yaml, references/*) locally for any commands you don't want an agent to execute. - If you need to install: (1) inspect scripts/install.sh and run it in a controlled venv; (2) confirm whether zvt is required and request the maintainer add it to the install script or document why it's optional; (3) ensure you are comfortable with the skill creating/modifying ~/.zvt or set ZVT_HOME to a safe path. - If you cannot verify the origin (source is unknown and homepage none), prefer running in sandboxed environment or decline until the maintainer provides clearer provenance and an updated install procedure.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk97b16atq0fmqx7wp7d2x8nytn85ac3pfinancevk97b16atq0fmqx7wp7d2x8nytn85ac3platestvk97b16atq0fmqx7wp7d2x8nytn85ac3p
44downloads
0stars
3versions
Updated 14h ago
v0.3.0
MIT-0

abs-cashflow-modeling

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (40 total)

Basic ABS Deal Model (UC-001)

Model a basic asset-backed securities deal with mortgage pool, bonds, fees, and waterfall to analyze cashflows and tranche performance Triggers: basic deal, ABS, mortgage pool

Adjustable Rate Mortgage Pool (UC-002)

Model an adjustable rate mortgage pool with LIBOR-based floating rates and periodic resets Triggers: ARM, adjustable rate, LIBOR

Bond Step-Up Rate (UC-003)

Model bonds with scheduled rate step-ups at specific dates for ABS deal structuring Triggers: step-up, bond rate, scheduled increase

For all 40 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (15 total)

  • AP-INSURANCE-001: Implicit numeric format assumptions without validation
  • AP-INSURANCE-002: Triangle axis construction with invalid temporal ordering
  • AP-INSURANCE-003: Cumulative/incremental triangle representation misuse

All 15 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-076. Evidence verify ratio = 37.8% and audit fail total = 22. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md15 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-076 blueprint at 2026-04-22T13:00:28.210602+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...