Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

lean-cloud-backtest

v0.3.0

通过 LEAN 引擎搭建多市场量化研究与回测环境,支持 QuantBook 历史数据获取、技术指标计算和自定义因子建模。 触发场景:(1) 用户要搭建 C# 或 Python QuantBook 研究环境进行量化分析;(2) 用户要获取多资产类别历史数据进行回测;(3) 用户要计算技术指标或实现自定义因子模型。

0· 14·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill advertises C# / QuantBook (LEAN) and multi-market ZVT workflows, yet the package has no requirements for .NET, the LEAN engine, QuantConnect/QuantBook tooling, or the zvt Python package. The only install artifact is a pip script that installs common Python libs (pandas/numpy/etc.) — insufficient for C# QuantBook or LEAN usage. This is a mismatch: a genuine QuantBook/LEAN skill would declare or install .NET runtime, LEAN/QuantConnect packages, or explicit zvt/recorder dependencies.
Instruction Scope
SKILL.md contains many operational preconditions and references (seed.yaml, references/*, semantic locks) and instructs running scripts/install.sh and precondition Python checks that will import zvt and touch files under ZVT_HOME. The instructions reference environment state (ZVT_HOME, zvt presence) that are not declared in requires.env. They also expect the agent/user to re-read seed.yaml and to run precondition checks that may write a test file (~/.zvt/.write_test). While these actions are explainable for a data/backtest skill, they widen the skill's reach beyond the small set of files it actually installs.
!
Install Mechanism
An included scripts/install.sh uses python3 -m pip install to install pinned/broad Python packages into the active Python environment without creating or recommending a virtualenv. This can modify the user's global Python environment (risk of downgrades/conflicts). The script does not install zvt, LEAN/QuantConnect, .NET, or other expected platform components. Lack of a venv or isolation step is a notable installation risk.
!
Credentials
The skill declares no required environment variables or credentials, yet runtime instructions and preconditions reference ZVT_HOME and run Python commands that expect a zvt installation and writable ~/.zvt. Access to those filesystem locations will be attempted but was not declared. No secrets are requested, which is appropriate, but the undeclared dependency on ZVT-related environment/config paths is a mismatch.
Persistence & Privilege
always:false and no persistence to other skills are declared. However, the install script will change the user's Python environment globally, and precondition checks may create and remove files under the user's ZVT_HOME. This is normal for setup scripts but is an elevated footprint compared to an instruction-only skill that does not write to disk.
What to consider before installing
This skill is internally inconsistent: it claims C#/QuantBook and ZVT workflows but doesn't install or declare the .NET/LEAN/QuantBook/ZVT components needed. The provided install script uses pip directly (no virtualenv) and will modify your Python environment globally and may create files under ~/.zvt. Before installing: 1) Do NOT run scripts/install.sh in a shared or production Python environment — use a fresh virtualenv or container. 2) Verify and add any missing dependencies you need (zvt, LEAN/QuantConnect, .NET/mono, QuantBook tooling) — the skill does not install them. 3) Inspect seed.yaml and the references folder for any additional actions the agent may be told to run. 4) If you only need Python templates/examples, ask the maintainer to supply a pure-Python, venv-friendly install or explicit dependency list (including zvt) and to declare required env vars (ZVT_HOME) up front. 5) If you lack experience with environment setup, seek a vetted package or run inside an isolated VM/container. These inconsistencies make the skill suspicious but do not prove malicious.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk972yeq7fgn6epa0baazyhfyjn85aja7financevk972yeq7fgn6epa0baazyhfyjn85aja7latestvk972yeq7fgn6epa0baazyhfyjn85aja7
14downloads
0stars
1versions
Updated 4h ago
v0.3.0
MIT-0

lean-cloud-backtest

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (8 total)

C# QuantBook Research Environment Setup (UC-101)

Provides a foundational C# research environment template for loading QuantBook and fetching historical data across multiple asset classes for analysis Triggers: C#, QuantBook, research environment

Python QuantBook Basic Research with Indicators (UC-102)

Provides a Python research environment template demonstrating QuantBook setup, historical data fetching, price plotting, and Bollinger Bands indicator Triggers: Python, QuantBook, Bollinger Bands

C# Comprehensive QuantBook API and Data Fetching (UC-103)

Comprehensive C# template demonstrating QuantBook API cloud connectivity, project listing, and multiple methods for fetching historical data with diff Triggers: C#, QuantBook, API

For all 8 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (25 total)

  • AP-ZVT-183: 除权因子为 inf/NaN 时直接参与乘法导致复权静默失败
  • AP-ZVT-179: 第三方数据接口超限后异常被吞噬,数据静默缺失
  • AP-ZVT-183B: HFQ(后复权)与 QFQ(前复权)K 线表使用错误导致因子计算漂移

All 25 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-100. Evidence verify ratio = 23.0% and audit fail total = 20. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md25 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-100 blueprint at 2026-04-22T13:00:45.713977+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...