ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

akshare-financial-data

v0.3.0

获取中国 A 股市场实时行情、历史 K 线、财务报表、基金期货等金融数据,支持股票、债券、期权等多品种数据查询。触发场景:(1) 用户要获取某只股票的日线、周线历史数据;(2) 用户要查询股票实时行情和报价;(3) 用户要批量下载多只A股的历史行情进行回测分析。

0· 31·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (A‑share data fetching and backtest pipeline) aligns with the included files (many data‑sourcing references) and the pip packages installed (pandas, requests, bs4, lxml, etc.). These dependencies are reasonable for web/API scraping and data processing.
!
Instruction Scope
SKILL.md and seed.yaml require precondition checks that run Python commands (import zvt, check data, create/write test file under ZVT_HOME/ ~/.zvt). Those runtime checks touch the user filesystem and reference an environment variable (ZVT_HOME) that is not declared in requires.env. The SKILL.md/seed.yaml execution protocol also instructs re-reading seed.yaml and running preconditions on behavioral decisions, giving the skill broad discretion to execute local checks beyond simple data fetching.
Install Mechanism
The only install artifact is scripts/install.sh which installs well-known PyPI packages via pip. No arbitrary remote downloads or archive extraction are present. This is a low-to-moderate risk install mechanism (standard pip installs).
!
Credentials
requires.env declares none, but instructions and preconditions read/write ZVT_HOME and touch ~/.zvt. The skill implicitly depends on the zvt ecosystem (preconditions run python -c checks for zvt), yet the SKILL metadata did not declare ZVT_HOME or zvt as explicit required credentials/config — a mismatch. Also SKILL.md claims 'Requires Python 3.12+ with uv package manager' while install.sh uses python3 + pip, which is inconsistent.
Persistence & Privilege
always:false (not forced into every agent run) and default autonomous invocation allowed. The skill does include instructions that create/verify a local data directory (~/.zvt) and may write there, but it does not request system‑wide persistent privileges or modify other skills' configs. No 'always:true' or other elevated persistence requested.
What to consider before installing
This skill appears to do what it says (A‑share data sourcing) and installs standard Python packages, but there are a few mismatches you should check before installing: (1) SKILL.md claims 'Python 3.12+ with uv package manager' but the provided install script uses python3 and pip—ensure your Python and package manager match or adapt the script. (2) The runtime preconditions reference ZVT_HOME and will try to read/write ~/.zvt (filesystem writes), yet no environment variables were declared—decide whether you want the skill to create/check those paths. (3) Review the included references/LOCKS.md and seed.yaml to understand what precondition commands the agent may execute (they run python -c checks). (4) The install.sh uses PyPI packages; if you require vetted packages, audit them or run the install in a sandbox/virtualenv. If you need higher assurance, ask the author (or require a proper package manifest/requirements.txt, explicit env var declarations, and alignment between declared runtime and install script) before enabling autonomous use.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk970nrqtcddj187pzzgsx33sq585a8xgfinancevk970nrqtcddj187pzzgsx33sq585a8xglatestvk970nrqtcddj187pzzgsx33sq585a8xg
31downloads
0stars
3versions
Updated 2h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

akshare-financial-data

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (1 total)

Sphinx Documentation Configuration for Akshare (UC-101)

Sets up the Sphinx documentation builder with Chinese language support (via ctex), Markdown parsing via recommonmark, and automatic version string ext Triggers: documentation, sphinx, docs build

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (14 total)

  • AP-DATA-SOURCING-001: Missing or invalid User-Agent headers for SEC API requests
  • AP-DATA-SOURCING-002: Ignoring external API rate limits causing IP blocking
  • AP-DATA-SOURCING-003: No HTTP timeout configuration causing indefinite hangs

All 14 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-079. Evidence verify ratio = 30.6% and audit fail total = 41. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md14 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-079 blueprint at 2026-04-22T13:00:30.352072+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...