ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

czsc-chan-theory

v0.3.0

CZSC 缠论技术分析工具,支持 K 线生成、笔线段识别、分型信号提取与 A 股回测可视化。触发场景:(1) 用户要分析 A 股 K 线数据;(2) 用户要计算缠中说禅的分型和买卖信号;(3) 用户要对历史行情进行回测和因子研究。

0· 27·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (CZSC + ZVT-based A-share backtesting) matches the files and references (many ZVT-related constraints, recorders, backtest components). Minor mismatch: SKILL.md metadata claims 'Requires Python 3.12+ with uv package manager', but the provided install.sh uses pip and does not install zvt or czsc packages. The inclusion of OSS/ClickHouse/Redis client packages is plausible for optional storage backends but should be justified by the user (they enable external storage connections).
Instruction Scope
Runtime instructions focus on data collection, factor computation, and backtesting (including precondition checks that call zvt and check ~/.zvt). They instruct running scripts/install.sh and running zvt recorders which will fetch external market data — expected for this domain. The SKILL.md/seed.yaml require the agent to re-read seed.yaml and many local reference docs; this is domain-relevant but expands the skill's local read scope (reads its own reference files).
Install Mechanism
No formal registry install spec, but an install script (scripts/install.sh) is included that installs packages from PyPI via pip (pandas, numpy, pyarrow, requests, loguru, dill, pytz, redis, clickhouse_connect, oss2). This is a common, low-to-moderate risk approach. Concerns: (1) install script does not install zvt/czsc though preconditions expect zvt; (2) metadata mentions a different package manager (uv) than the script uses; (3) some packages (clickhouse_connect, oss2, redis) enable external storage connectivity and may be unnecessary if you don't use those backends.
Credentials
Skill declares no required env variables or credentials. SKILL.md does reference ZVT_HOME and data provider options (eastmoney, joinquant, akshare); joinquant requires account credentials but the skill does not request them. No hidden secret-exfiltration indicators present in the files provided.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; autonomous invocation is allowed (default) but not by itself suspicious. The skill does not request persistent agent-level privileges or modify other skills' configs. seed.yaml requests that the host re-read it on each run (normal for this artifact) but increases the amount of local metadata the agent will consult.
What to consider before installing
What to consider before installing/using this skill: - Provenance: the skill lists no homepage and 'Source: unknown'. Prefer packages with a clear repository/homepage. Ask the publisher for source or verify the repository before trusting it. - Installation mismatch: SKILL.md claims 'uv' package manager and Python 3.12+, but scripts/install.sh uses pip and does NOT install zvt/czsc. Expect to manually install zvt and other domain packages. Do not run install.sh blindly in your system Python; use an isolated virtualenv/venv or container. - External connectors: install.sh will install redis, clickhouse_connect, and oss2 — these enable connections to external storage/datastores. If you won't use those backends, consider removing them from the install step. If you will use them, verify any connection endpoints and credentials you provide are legitimate and limited in scope. - Data providers & credentials: the skill supports data providers (eastmoney, joinquant). joinquant and some brokers require credentials — the skill does not request them automatically. Only provide API keys to trusted code and review where those keys will be used/stored. - Files & docs: the skill includes many reference files and a large seed.yaml. The execution protocol instructs the agent to re-read seed.yaml and other local docs; this is expected for a compiled blueprint but means the skill will consult a lot of internal policy/constraint text — review those files if you need to verify behavior. - Safety steps: (1) inspect scripts/install.sh and any other executable files; (2) run installation inside an isolated virtualenv or container; (3) manually pip install zvt and other domain packages as needed rather than relying solely on the provided script; (4) if you intend to connect to ClickHouse/OSS/Redis, use least-privilege service accounts and firewall rules; (5) verify license/LEGAL files (LICENSE.txt referenced but not present in bundle). If you want, I can list the exact lines that conflict (uv vs pip, missing zvt install, absent LICENSE.txt) and produce a minimal safe install command that omits optional storage drivers.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk9721heme21qxmpd903re73q6s85bxb6financevk9721heme21qxmpd903re73q6s85bxb6latestvk9721heme21qxmpd903re73q6s85bxb6
27downloads
0stars
1versions
Updated 16h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

czsc-chan-theory

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (10 total)

Sphinx Documentation Configuration (UC-101)

Configuring Sphinx documentation builder for the czsc project, ensuring proper Python path setup and Rust version priority Triggers: documentation, sphinx, configuration

CZSC Performance Benchmarking (UC-102)

Benchmarking CZSC analysis performance with varying K-line counts to measure initialization speed and memory usage Triggers: benchmark, performance, speed

Volatility Classification Signal (UC-104)

Classifying market volatility into three tiers (low/middle/high) based on recent K-line price ranges for signal generation Triggers: volatility, classification, signal

For all 10 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-091. Evidence verify ratio = 60.4% and audit fail total = 13. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-091 blueprint at 2026-04-22T13:00:38.716020+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...