ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finrl Meta Envs

v0.3.3

提供多市场金融强化学习环境,支持PPO/DQN等DRL算法回测、Markowitz组合优化与实时模拟交易,适配Alpaca等券商接口。。

0· 94·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/finrl-meta-envs.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Finrl Meta Envs" (tangweigang-jpg/finrl-meta-envs) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/finrl-meta-envs
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install finrl-meta-envs

ClawHub CLI

Package manager switcher

npx clawhub@latest install finrl-meta-envs
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (FinRL-style multi-market RL, backtest, Markowitz, Alpaca paper trading) are coherent with the included use-cases and component references. However SKILL.md explicitly says it requires "Python 3.12+ with uv package manager" and references zvt/Alpaca/ZVT_HOME behaviors, while the registry metadata declared no required binaries, no env vars, and no install steps — a clear mismatch (the skill will realistically need Python and third‑party libs and likely brokerage API keys).
!
Instruction Scope
SKILL.md contains detailed runtime protocols and preconditions that tell the agent to run python3 -c checks (import zvt, call get_kdata), to create/check ~/.zvt (touch/unlink), and to re-read seed.yaml and references before execution. Those instructions direct the agent to read and write local filesystem paths and to run commands that may install packages (pip install) if preconditions fail. The instructions also reference Alpaca paper trading but do not declare the required Alpaca API keys or how to store them. The scope is broader than the registry claims and gives the agent discretion to run environment modifications.
Install Mechanism
No install spec or code files are present in the registry entry (instruction-only). That lowers the immediate risk of downloading arbitrary binaries. However SKILL.md and seed.yaml include an execution_protocol that tells the host to run install recipes and pip install commands if preconditions fail — these are not expressed as a formal install spec in the registry, so the agent (or a user following instructions) might perform installs later without explicit manifested approval.
!
Credentials
The registry lists no required environment variables or credentials, yet the SKILL.md and references clearly expect integration with zvt, a ZVT_HOME directory, and broker APIs (Alpaca) for paper trading. Alpaca (and likely other broker/data sources) require API keys/tokens; those are not declared in requires.env or primaryEnv. The skill also expects writable access to ~/.zvt. This under-declaration of secrets and environment requirements is disproportionate and could cause accidental credential use or ad-hoc prompts for secrets.
Persistence & Privilege
always is false and there is no install spec that writes permanent binaries or modifies other skills. The seed.yaml/ SKILL.md ask the agent to re-read seed.yaml and run preconditions, but the skill does not request forced permanent inclusion or claim the ability to change other skills' configuration. Autonomous invocation is allowed (platform default) but does not by itself raise new flags here.
Scan Findings in Context
[no_scan_findings] unexpected: The static regex scanner found no code to analyze (instruction-only skill). This means there are no file-level matches to corroborate or explain the runtime instructions; the review must rely on SKILL.md and the included reference materials.
What to consider before installing
This skill looks like a legitimate FinRL/ZVT-style pipeline on paper, but its runtime instructions expect you to have and possibly install Python 3.12+, zvt and other libraries, create/check ~/.zvt, and connect to brokers like Alpaca — yet the registry lists no required env vars or install steps. Before installing or running it: 1) Ask the author to provide an explicit install spec and a list of required environment variables (Alpaca API_KEY/SECRET, ZVT_HOME, any DB credentials). 2) Inspect seed.yaml and the references folder yourself (they are included) for any commands that would run pip install or touch local files. 3) Run the skill only in an isolated environment (VM or Python venv) so automated pip installs or filesystem writes can't affect your primary workspace. 4) If you plan to connect to Alpaca or any broker, store keys in a vault or environment variables you control and confirm the skill will not transmit them elsewhere. 5) If you need higher assurance, request a concrete install script and minimal set of declared env vars, or decline until the author documents why no credentials are declared despite requiring broker/data access.

Like a lobster shell, security has layers — review code before you run it.

datavk9708y6rzz42v448sevs27j09585da7adoramagic-crystalvk9708y6rzz42v448sevs27j09585da7afinancevk9708y6rzz42v448sevs27j09585da7alatestvk9708y6rzz42v448sevs27j09585da7aportfoliovk9708y6rzz42v448sevs27j09585da7aquantvk9708y6rzz42v448sevs27j09585da7ariskvk9708y6rzz42v448sevs27j09585da7a
94downloads
0stars
3versions
Updated 4d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
datadoramagic-crystalfinancelatestportfolioquantrisk
Download

FinRL 强化环境 (finrl-meta-envs)

提供多市场金融强化学习环境,支持PPO/DQN等DRL算法回测、Markowitz组合优化与实时模拟交易,适配Alpaca等券商接口。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (9 total)

Automated Paper Trading with PPO Agent (UC-101)

Execute simulated paper trades in real-time using a trained PPO reinforcement learning agent connected to Alpaca brokerage API, enabling risk-free str Triggers: paper trading, PPO agent, Alpaca

Alpaca Paper Trading Demo with PPO (UC-104)

Demonstrate live paper trading execution using a PPO neural network agent connected to Alpaca's paper trading API, enabling real-time trade simulation Triggers: paper trading, Alpaca demo, PPO

Markowitz Mean-Variance Portfolio Optimization (UC-102)

Optimize portfolio allocation across multiple assets using Markowitz mean-variance optimization to maximize risk-adjusted returns, balancing expected Triggers: portfolio optimization, Markowitz, mean-variance

For all 9 use cases, see references/USE_CASES.md.

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-116. Evidence verify ratio = 23.2% and audit fail total = 8. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-116 blueprint at 2026-04-22T13:00:56.369548+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...