Finrobot Multi Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This finance-analysis skill is mostly coherent, but it references broker-based trading/order execution and sensitive credentials without clear live-trading approval or credential-scope boundaries.
Install only if you are comfortable reviewing the full reference set. Use it first for analysis and backtesting, keep credentials read-only where possible, and require explicit confirmation before any broker login, live order placement, or account-changing action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a real broker integration, the agent could generate or run workflows that affect actual positions or cash balances.
The skill moves beyond analysis/backtesting into broker and order-execution language. The artifacts do not clearly require a separate confirmation, dry-run mode, or scope boundary before any live trading action.
`data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization`; `qmt (broker)?`; `SL-01` Execute sell orders before buy orders in every trading cycle
Treat all trading workflows as simulation-only unless you explicitly intend live trading; require a separate confirmation before any broker login, order placement, or account-changing action.
You may be asked to provide API keys or broker/account credentials without a clear statement of required scopes, storage, or whether read-only access is sufficient.
The registry declares no credential contract, but capability signals indicate OAuth or sensitive credentials may be needed. Combined with financial data and broker-provider references, the credential scope is under-specified.
Required env vars: none; Env var declarations: none; Primary credential: none ... Capability signals: requires-oauth-token; requires-sensitive-credentials
Use read-only or least-privilege API keys where possible, avoid providing broker trading credentials unless explicitly needed, and confirm how credentials will be stored and used.
Running the suggested setup can install packages and create or modify local financial-data directories.
The skill documents local Python commands and package installation as setup/precondition steps. These are user-directed and related to the stated ZVT/backtesting purpose, but they still modify the local environment.
`PC-01`: ... on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs ... `PC-04`: ... chmod u+w ~/.zvt
Run setup commands yourself in a virtual environment, inspect packages before installing, and avoid broad permission changes unless necessary.
Financial reports, filings, or user-provided documents could be indexed or reused in later analysis if the implementation persists them.
The component map includes retrieval and vector-store capabilities, which are expected for financial document analysis but may persist or reuse indexed document content.
`RetrieveUserProxyAgent.retrieve` ... `vector_store`
Avoid indexing private documents unless you understand where the vector store is kept, how it can be cleared, and whether it is shared across tasks.
Important behavior may be controlled by reference material beyond the short SKILL.md summary.
The skill delegates important behavior to a large authoritative seed file. This is disclosed, but because the source is unknown and the skill may guide financial/trading workflows, users should inspect the full authoritative file before relying on it.
authoritative_artifact: primary: seed.yaml ... On any behavioral decision ... agents MUST re-read seed.yaml. Derivatives are for UI display only
Review the full seed.yaml and reference files, especially before using the skill for trading, credentials, or generated code execution.