Fava Beancount Viewer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a passive accounting viewer may instead get guidance or generated workflows for quant strategies and possible trading-related actions.
The same artifact frames the skill as a Fava/Beancount portfolio viewer/advisor but also introduces a broader ZVT-style market-data, strategy, and trading-execution workflow, including a broker option.
description: 提供基于Fava/Beancount的投资组合管理能力... Pipeline `data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization` ... Data source / provider: eastmoney ... joinquant ... akshare, or qmt (broker)?
Treat this as a broader finance/trading assistant, not just a viewer. Ask it to stay in analysis-only or backtest-only mode unless you explicitly want broker-connected workflows.
If interpreted as live trading rather than backtesting, the agent could guide or prepare actions that affect real financial positions.
The instructions describe trading execution and buy/sell order sequencing, but the artifacts do not clearly define whether this is simulation-only or live-account-capable, nor do they specify approval, limits, or rollback controls.
`data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization` ... `SL-01` Execute sell orders before buy orders in every trading cycle
Require explicit user confirmation before any broker-connected action, and ask the skill to distinguish analysis, backtesting, paper trading, and live trading in every workflow.
Users may be asked to connect sensitive financial accounts, broker access, or wallets without clear scoping or handling rules in the skill metadata.
The supplied capability signals indicate high-impact wallet, purchase, and credential needs, while the registry requirements declare no primary credential, required environment variables, or credential contract.
crypto; requires-wallet; can-make-purchases; requires-sensitive-credentials
Do not provide broker, wallet, or paid-provider credentials unless the workflow is clearly scoped, necessary, and explicitly approved; prefer read-only/API-limited credentials where possible.
Using the skill may lead to installing the ZVT Python package and creating local ZVT directories, despite the registry presenting it as instruction-only.
The documentation includes a package install and local initialization step even though the registry lists no install spec. This is likely purpose-aligned setup for ZVT, but it is under-declared.
PC-01: `python3 -c 'import zvt; print(zvt.__version__)'` → on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Review and run setup commands yourself in a trusted environment; pin package versions if reproducibility or supply-chain assurance matters.