Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

advanced-financial-ml

v0.3.0

MlFinLab 提供金融机器学习高级实现,包括信息驱动 bars(tick/volume/dollar/imbalance bars)、分数阶差分和回测工具,支持多市场因子研究与策略验证。触发场景:(1) 用户要从原始 Tick 数据提取稳健的价格特征构建因子;(2) 用户要将时间序列差分至平稳态同时保留记忆性...

0· 45·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description promise advanced financial-ML features (bars, fractional differentiation, backtesting) and the repository contains extensive domain docs and components that align with that purpose. Declared requirements in the registry are empty, but SKILL.md metadata calls out 'Requires Python 3.12+ with uv package manager'—a mismatch vs registry metadata. Overall capability→purpose alignment is plausible but the metadata inconsistency is worth noting.
!
Instruction Scope
Runtime instructions ask the agent to run scripts/install.sh and refer to preconditions that run python commands (import zvt, query get_kdata, check/write ZVT_HOME). The skill expects zvt to be available / ZVT_HOME to exist and be writable, but zvt is not installed by the provided install.sh and no required env var (ZVT_HOME) is declared. The seed.yaml/execution_protocol also instructs the host to re-read seed.yaml and enforce preconditions before any behavioral decision, which expands the agent's operational scope beyond a simple 'write code for backtest' instruction. These instructions reference files/paths (e.g., ~/.zvt or ZVT_HOME) and expect file-system writes which are within-scope for a backtesting skill but should have been explicitly declared.
!
Install Mechanism
The included scripts/install.sh uses pip to install a set of common ML/finance packages from PyPI (numpy, pandas, scikit-learn, scipy, statsmodels, cython, numba, POT, networkx, joblib). Using PyPI packages is expected for this skill, but the installer installs into the system/global Python environment (no venv or isolation), which can modify or downgrade existing global packages and cause environment pollution. Also, the install script does not install 'zvt' (which the skill's preconditions expect), and SKILL.md mentions an 'uv' package manager requirement that the install script does not address.
!
Credentials
No credentials or env vars are declared in the registry, but the SKILL.md and references/LOCKS.md preconditions reference ZVT_HOME (Path(os.environ.get('ZVT_HOME', Path.home() / '.zvt'))) and attempt to write to that location. That implies the skill will read/write the user's ~/.zvt (or ZVT_HOME) and expects file-system write permission. There are no API keys or other secrets requested, which is appropriate, but the undeclared dependency on ZVT_HOME and on the zvt package means the skill will access user-local config/data paths without having declared them.
Persistence & Privilege
always:false (no forced global activation) and disable-model-invocation:false (normal). The skill includes a seed.yaml execution_protocol that instructs the host to re-read seed.yaml and run preconditions before execution — this gives the skill notable influence over runtime checks, but it does not set always:true or modify other skills. No evidence that the skill alters other skills' configs. Still, because it requires/assumes local data directories (ZVT_HOME) and asks to run an install script, it will create or modify files on disk.
What to consider before installing
This skill appears to implement legitimate financial-ML tooling, but there are mismatches and operational surprises you should consider before installing: - Run it in an isolated Python environment (virtualenv / conda) to avoid polluting your system Python; the provided install script installs packages globally and does not create a venv. - Review and, if needed, modify scripts/install.sh before running. It installs common ML packages but does NOT install 'zvt', yet the SKILL.md preconditions expect zvt to be importable. - Check ZVT_HOME behavior: the skill's preconditions will read/write ~/.zvt (or the folder pointed to by ZVT_HOME). If you don't want this, set ZVT_HOME to an isolated writable directory before running or inspect/modify the code that touches that path. - Verify Python version and 'uv' requirement: SKILL.md claims Python 3.12+ and an 'uv' package manager, but the installer uses system python3/pip. Make sure your environment meets the actual runtime requirements. - Because the skill's seed.yaml instructs the host to re-read and enforce constraints at runtime, decide whether you trust the source; the skill can influence agent decision checks and preconditions. If you are unsure, request the publisher/source and full provenance before use. If you proceed: run the install script only inside a disposable environment, manually install any missing packages (like zvt) if you want full functionality, and inspect the large reference files (seed.yaml, LOCKS.md) to understand constraints that will be enforced during execution.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk97dwd2dj1t17pn729bx3brc6985barnfinancevk97dwd2dj1t17pn729bx3brc6985barnlatestvk97dwd2dj1t17pn729bx3brc6985barn
45downloads
0stars
3versions
Updated 13h ago
v0.3.0
MIT-0

advanced-financial-ml

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (1 total)

Sphinx Documentation Configuration (UC-101)

How to configure and generate project documentation using Sphinx autodoc and extensions for API documentation coverage Triggers: documentation, sphinx, autodoc

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-115. Evidence verify ratio = 43.7% and audit fail total = 34. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-115 blueprint at 2026-04-22T13:00:55.567727+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...