Ledger Plaintext Accounting
Security checks across malware telemetry and agentic risk
Overview
This skill is described as a plaintext accounting ledger, but its instructions largely guide quant trading/backtesting workflows, including broker and trading-execution language.
Review this skill before installing. Treat it as a quant trading/backtesting assistant, not just a plaintext accounting ledger. Do not connect brokerage accounts or run live trading workflows unless you explicitly intend to, approve each action, and understand any ZVT package installation and credential use.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a plaintext accounting helper may instead get trading/backtesting behavior, which can affect financial decisions or account actions.
The same artifact advertises a double-entry ledger/accounting engine but then defines a quant-trading pipeline ending in trading execution.
description: ... 复式记账引擎 ... FIFO ... / Pipeline `data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization`
Align the name, description, capabilities, and instructions; separate ledger-accounting guidance from quant-trading guidance, and clearly label any live-trading functionality.
If connected to a brokerage or trading provider, an agent following these instructions could generate or run high-impact trading workflows without sufficiently clear guardrails.
The instructions combine trading execution with broker/provider selection, but do not clearly require dry-run mode, backtest-only operation, or explicit approval before any live broker action.
Pipeline `... target_selection -> trading_execution -> visualization`; Data source / provider: ... joinquant (account+paid) ... or qmt (broker)?
Default to backtesting only, require explicit user confirmation before live orders, document supported brokers and scopes, and add clear stop/rollback guidance.
Installing the skill’s recommended dependency may run third-party Python code and create local ZVT data directories.
The reference docs direct installation and initialization of an external Python package, but the registry has no install spec and the package version is not pinned.
on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Pin dependency versions, declare setup requirements in metadata/install specs, and ask the user before installing or initializing external packages.
Using some providers may require credentials or broker profiles, which are sensitive even if the artifacts do not show credential theft or logging.
The skill references paid accounts and broker access even though the registry declares no primary credential or required environment variables.
Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock ..., akshare, or qmt (broker)?
Document credential needs and scopes, prefer read-only data credentials, and keep broker/API secrets out of prompts, logs, and generated code.