ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

easytrader-cn-broker

v0.3.0

提供A股券商客户端自动化交易能力,支持雪球、芸享等多券商登录与交易操作封装,涵盖账户余额查询、持仓管理、委托下单及组合跟随等核心功能。触发场景:(1) 用户要自动登录券商账户并保持会话有效;(2) 用户要查询股票持仓和账户余额信息;(3) 用户要通过程序化方式执行下单、撤单及持仓调整。

0· 25·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to automate broker logins and trading (XueQiu, YunHui, etc.). The included install script installs GUI/automation and OCR libraries (pywinauto, pytesseract) and broker-related clients (xtquant, rqopen_client) which are plausible for automating broker clients, but the skill declares no required environment variables or primary credential despite needing account cookies/credentials in practice. Metadata also claims Python 3.12+ with an 'uv' package manager, while the install script uses pip — a mismatch. These omissions (no declared credential env vars, inconsistent installer metadata) are unexpected for a broker automation skill and therefore concerning.
!
Instruction Scope
SKILL.md instructs running scripts/install.sh and contains precondition checks that reference zvt and ZVT_HOME environment state. The skill's instructions implicitly expect access to environment variables (ZVT_HOME) and to install/run zvt, but those requirements are not declared in the skill's manifest. The runtime instructions also embed policy-like behaviors (semantic locks, re-read seed.yaml) and references to creating HTTP API servers — which could expose local account data if a server is started. The instructions do not explicitly describe how credentials/session cookies are provided or protected.
Install Mechanism
There is no remote archive download; install is a local scripts/install.sh that runs multiple pip installs from PyPI. Using pip is common but pulls arbitrary packages (xtquant, rqopen_client) whose provenance should be verified. Installing pytesseract without installing the tesseract binary is incomplete and platform assumptions (pywinauto is Windows-centric) are not disclosed. This is moderate risk — packages from PyPI execute install-time code and should be vetted.
!
Credentials
The skill does not declare any required credentials or a primaryEnv, yet its functionality (automatic login, placing orders) inherently requires sensitive credentials/cookies and access to broker sessions. SKILL.md and preconditions reference ZVT_HOME and zvt, implying additional environment/config requirements that are not declared. The skill asks for data sources that may require paid accounts (joinquant) but gives no guidance on how secrets are handled. Lack of explicit credential declarations is disproportionate for a trading/brokering skill.
Persistence & Privilege
The skill is not marked always:true and does not declare modifications to other skills or system-wide configuration. The only install action is a one-shot pip-based install script. No explicit persistent always-enabled behavior or attempts to alter other skills' configs are present in the provided files.
What to consider before installing
Before installing or running this skill: (1) Treat it as sensitive — it will want to log into broker accounts; do not supply credentials before you audit how they are used/stored. (2) Inspect the pip packages (xtquant, rqopen_client, pywinauto, pytesseract) and confirm their provenance and licensing. (3) Run scripts/install.sh inside an isolated virtual environment (not as root) and on a test machine. (4) Expect platform assumptions: pywinauto implies Windows GUI automation; pytesseract needs the tesseract binary installed separately. (5) The skill does not declare required env vars (ZVT_HOME) or how credentials are passed — ask the author or inspect runtime code to confirm no secrets are exfiltrated and whether any local HTTP server would expose account data. (6) If you plan to allow real trading, require a code review, restricted test account, and monitoring of network activity and API calls before using with real funds.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk970wm9d1w2f8vrmm558k396cn85abthfinancevk970wm9d1w2f8vrmm558k396cn85abthlatestvk970wm9d1w2f8vrmm558k396cn85abth
25downloads
0stars
1versions
Updated 15h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

easytrader-cn-broker

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (4 total)

Broker API Server for Trading Operations (UC-101)

Provides HTTP REST API endpoints for broker authentication and retrieving account balance information programmatically, enabling integration with exte Triggers: server, api, http

XueQiu Trader Account Preparation Validation Test (UC-102)

Unit test that validates XueQiuTrader correctly handles account preparation with required parameters (cookies) and properly stores portfolio configura Triggers: xueqiu, trader, account preparation

YunHui Client Trader Integration Tests (UC-103)

Integration tests for YunHui (yh_client) broker trading operations including balance queries, today's trades/entrusts, and entrust cancellation functi Triggers: yh_client, balance, entrust

For all 4 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-094. Evidence verify ratio = 62.7% and audit fail total = 8. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-094 blueprint at 2026-04-22T13:00:40.820921+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...