ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

eastmoney-api

v0.3.0

为 VAlpha 量化终端用户提供 A 股市场数据获取、多数据源自动切换与熔断保护,支持 Tushare/Akshare 链路 fallback,并根据积分额度自动配置请求频率限制。触发场景:(1) 用户要获取 A 股实时行情或历史 K 线数据;(2) 用户要做盘前盘后量化分析或运行回测任务;(3) 用户要设置持...

0· 32·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim A-share data ingestion, multi-source fallback, rate limiting and backtest pipeline — and the files (USE_CASES, COMPONENTS, LOCKS) show exactly that. However the SKILL metadata claims 'Requires Python 3.12+ with uv package manager' while the provided install script uses pip. The skill also documents FastAPI, JWT auth, LLM provider configuration and recorder components that normally require runtime secrets (API keys, JWT secret) even though no environment variables or credentials are declared.
!
Instruction Scope
Runtime instructions and preconditions instruct the agent to run zvt check commands, initialize zvt dirs, and rely on ZVT_HOME environment variable. Those environment/config accesses are not declared in requires.env or required config paths. The SKILL.md additionally asks the agent to re-read seed.yaml and to run scripts/install.sh; no instructions attempt data exfiltration, but the preconditions implicitly require access to local filesystem paths and an external library (zvt) that may not be present.
Install Mechanism
There is no formal install spec, but scripts/install.sh (auto-generated) installs Python packages from PyPI (pandas, numpy, requests, scikit-learn, etc.). Installing from PyPI is expected for a Python data pipeline, but it contradicts the SKILL.md claim of using the 'uv' package manager. The pip-based script is moderate risk (normal third-party packages). Verify package version compatibility with your Python runtime (SKILL claims Python 3.12+ while pinned packages may have different compatibility).
!
Credentials
The skill declares no required environment variables or primary credential, but its documentation and use-cases reference services that normally need secrets (Tushare/Akshare/joinquant API tokens, LLM API keys, JWT_SECRET for auth). Preconditions explicitly read ZVT_HOME. Missing declarations mean the agent may try to read environment/config at runtime without the user being alerted, which is incoherent and raises privacy/security concerns.
Persistence & Privilege
The skill is not 'always: true' and does not request elevated platform privileges. It does not declare modifying other skills' configs. Normal autonomous invocation is allowed (disable-model-invocation is false), which is expected for skills.
What to consider before installing
Before installing or running this skill: - Review scripts/install.sh manually; run it inside an isolated Python virtualenv (or container) and confirm package versions are acceptable for your Python interpreter. The SKILL.md claims Python 3.12+ but the script uses pip — verify compatibility. - Expect to supply runtime secrets (Tushare/joinquant tokens, LLM API keys, JWT secret, etc.) even though none are declared. Do not provide credentials until you confirm where/how they are stored and used. - The preconditions reference ZVT and the ZVT_HOME environment variable; ensure you have zvt installed and that ZVT_HOME points to a writable, intended directory. - Because the skill runs networked data collection and may hit external APIs, consider rate-limit protections and run first with limited scopes (small universe / test mode). - If you plan to expose FastAPI endpoints, confirm auth/JWT configuration and secure binding addresses (do not run bound to 0.0.0.0 on a public host without proper firewall/auth). - If anything is unclear (why no declared env vars, which package manager to use, Python version guarantee), ask the publisher for clarification or request a fixed manifest before trusting the skill in a production environment.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk9798f1b3adwa54jzfwyzdqmts85a2sdfinancevk9798f1b3adwa54jzfwyzdqmts85a2sdlatestvk9798f1b3adwa54jzfwyzdqmts85a2sd
32downloads
0stars
1versions
Updated 15h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

eastmoney-api

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (26 total)

VAlpha Terminal Entry Point (UC-101)

Provides unified entry point for starting FastAPI server or running pre/post-market analysis Triggers: start, server, run

FastAPI Application Factory (UC-102)

Creates and configures FastAPI application instance with CORS, routers, and lifespan management Triggers: application, fastapi, server

Static File Serving and SPA Routing (UC-103)

Serves frontend static files and implements SPA catch-each routing for client-side navigation Triggers: static, frontend, spa

For all 26 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (14 total)

  • AP-DATA-SOURCING-001: Missing or invalid User-Agent headers for SEC API requests
  • AP-DATA-SOURCING-002: Ignoring external API rate limits causing IP blocking
  • AP-DATA-SOURCING-003: No HTTP timeout configuration causing indefinite hangs

All 14 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-084. Evidence verify ratio = 36.8% and audit fail total = 26. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md14 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-084 blueprint at 2026-04-22T13:00:34.071788+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...