Fava Beancount Viewer
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: fava-beancount-viewer Version: 0.3.3 The skill bundle provides a comprehensive framework for portfolio management and tax optimization using Beancount and the ZVT quant library. The instructions in SKILL.md and seed.yaml are focused on enforcing financial integrity, such as using Decimal types for monetary calculations (CW-ACCOUNTING-001) and adhering to IRS wash sale rules (finance-C-081). No evidence of data exfiltration, malicious persistence, or harmful prompt injection was found; the system's capabilities are strictly aligned with its stated purpose of financial analysis and reporting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a passive accounting viewer may instead get guidance or generated workflows for quant strategies and possible trading-related actions.
The same artifact frames the skill as a Fava/Beancount portfolio viewer/advisor but also introduces a broader ZVT-style market-data, strategy, and trading-execution workflow, including a broker option.
description: 提供基于Fava/Beancount的投资组合管理能力... Pipeline `data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization` ... Data source / provider: eastmoney ... joinquant ... akshare, or qmt (broker)?
Treat this as a broader finance/trading assistant, not just a viewer. Ask it to stay in analysis-only or backtest-only mode unless you explicitly want broker-connected workflows.
If interpreted as live trading rather than backtesting, the agent could guide or prepare actions that affect real financial positions.
The instructions describe trading execution and buy/sell order sequencing, but the artifacts do not clearly define whether this is simulation-only or live-account-capable, nor do they specify approval, limits, or rollback controls.
`data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization` ... `SL-01` Execute sell orders before buy orders in every trading cycle
Require explicit user confirmation before any broker-connected action, and ask the skill to distinguish analysis, backtesting, paper trading, and live trading in every workflow.
Users may be asked to connect sensitive financial accounts, broker access, or wallets without clear scoping or handling rules in the skill metadata.
The supplied capability signals indicate high-impact wallet, purchase, and credential needs, while the registry requirements declare no primary credential, required environment variables, or credential contract.
crypto; requires-wallet; can-make-purchases; requires-sensitive-credentials
Do not provide broker, wallet, or paid-provider credentials unless the workflow is clearly scoped, necessary, and explicitly approved; prefer read-only/API-limited credentials where possible.
Using the skill may lead to installing the ZVT Python package and creating local ZVT directories, despite the registry presenting it as instruction-only.
The documentation includes a package install and local initialization step even though the registry lists no install spec. This is likely purpose-aligned setup for ZVT, but it is under-declared.
PC-01: `python3 -c 'import zvt; print(zvt.__version__)'` → on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Review and run setup commands yourself in a trusted environment; pin package versions if reproducibility or supply-chain assurance matters.