ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cuemacro-finmarket

v0.3.0

金融市场回测框架,支持FX G10货币对技术指标策略回测、ArcticDB高频tick数据本地与S3云端存储、Quandl等数据源的市场数据获取与缓存。触发场景:(1) 用户要做FX G10货币对的交叉策略回测;(2) 用户要把高频tick数据存到S3云端;(3) 用户要从Quandl获取历史市场数据。

0· 27·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes ArcticDB (local + S3), Quandl, ZVT, and FX/S3 workflows that normally require additional libraries (zvt, arcticdb, boto3/s3fs, quandl/market-data clients). The provided install script installs common data science libs (numpy, pandas, scikit-learn, numba, matplotlib, etc.) but does NOT install zvt, arcticdb, boto3/s3fs, quandl, pyarrow/parquet, or other packages clearly needed for the described S3/ArcticDB/Quandl functionality. SKILL.md also says 'Requires Python 3.12+ with uv package manager' but the install script uses pip and does not enforce Python version or uv usage. This mismatch indicates the declared purpose is not fully supported by the requested/installed artifacts.
Instruction Scope
The runtime instructions (SKILL.md + seed.yaml) instruct the agent to run precondition checks (python one-liners checking zvt and ~/.zvt), to re-read seed.yaml on decision points, and to run scripts/install.sh. Those steps operate only on repo files and run benign checks, but they imply the agent will attempt to install or verify external packages (e.g., 'pip install zvt' as an on_fail remediation). The instructions do not request or declare access to host secrets, but they assume the presence of environment configuration for S3/Quandl without specifying how credentials are provided. The requirement to 're-read seed.yaml' on every decision is an operational instruction that increases how often the agent will load policy/metadata files from the skill bundle.
Install Mechanism
Install is an instruction-only skill with a generated scripts/install.sh that runs python3 -m pip install for several PyPI packages. Using pip is standard (moderate risk) and no arbitrary URL downloads are present. However the install list omits several packages required for stated S3/ArcticDB/Quandl features (see purpose_capability). The mismatch (SKILL.md claims 'uv' package manager while script uses pip) is inconsistent.
!
Credentials
SKILL.md describes S3 cloud storage and Quandl vendor integration, which normally require AWS credentials (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY or AWS_PROFILE) and a Quandl API key. The skill declares no required env vars or primary credential, so there is a clear proportionality gap: the skill claims capabilities that need secrets but does not request or document how those secrets are provided. That ambiguity is a red flag for both usability and security (missing least-privilege guidance for S3 access).
Persistence & Privilege
The skill is not always-enabled (always: false) and does not request system-wide config paths or modify other skills. It runs a one-time install script in its own workspace. No elevated persistence or privileged flags were requested.
What to consider before installing
Do not install/run this skill until the author clarifies and fixes the inconsistencies. Ask for: 1) a clear dependency list that includes zvt, arcticdb, boto3/s3fs, quandl (or confirmation these are intentionally omitted) and an install script that matches SKILL.md (pip vs uv); 2) explicit documentation of what credentials are needed and how to supply them (AWS IAM least-privilege guidance, Quandl API key), or confirmation that cloud operations are optional; 3) the license / LICENSE.txt and a source/homepage (the skill has no homepage and an unknown owner); 4) confirmation that running the precondition remediation (e.g., automatic pip install zvt) is acceptable in your environment. If you proceed, run install in an isolated environment (virtualenv/container), review listed PyPI packages for supply-chain risk, and provision S3 credentials using a restricted IAM role/temporary credentials rather than long-lived root keys.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk979dndrr77f3524szte8h28z585ad5sfinancevk979dndrr77f3524szte8h28z585ad5slatestvk979dndrr77f3524szte8h28z585ad5s
27downloads
0stars
1versions
Updated 16h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

cuemacro-finmarket

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (4 total)

ArcticDB Tick Data Storage (UC-101)

Provides persistent storage for high-frequency tick market data using ArcticDB, supporting both local LMDB and S3 cloud storage backends for efficient Triggers: arcticdb, tick data storage, time series database

Market Data Fetching from Vendors (UC-103)

Fetches economic and financial market data from external vendors like Quandl, demonstrating how to request and cache market data with specific fields Triggers: market data, quandl, fetch data

S3 Cloud Storage for Tick Data (UC-104)

Demonstrates writing and reading tick market data to/from AWS S3 cloud storage using Parquet format for efficient compression and retrieval of histori Triggers: s3 storage, aws, parquet

For all 4 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (14 total)

  • AP-PORTFOLIO-ANALYTICS-001: Division by zero in price ratio calculations corrupts rebalancing
  • AP-PORTFOLIO-ANALYTICS-002: Look-ahead bias from unshifted signal generation and position calculations
  • AP-PORTFOLIO-ANALYTICS-003: Non-positive-semidefinite covariance matrix breaks CVXPY optimization

All 14 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-108. Evidence verify ratio = 32.0% and audit fail total = 18. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md14 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-108 blueprint at 2026-04-22T13:00:51.768652+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...