ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

opensanctions-watchlist

v0.3.0

自动化爬取、清洗、加载全球制裁名单与实体数据,支持 Wikidata 更新审查、实体交叉引用去重和归档版本管理。触发场景:(1) 用户要查询和分析制裁名单数据;(2) 用户要对目标实体进行去重和交叉匹配;(3) 用户要批量加载或更新外部制裁数据到本地数据库。

0· 28·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description state 'opensanctions-watchlist' (sanctions scraping, Wikidata review, dedupe, archival). However SKILL.md and human_summary describe A-share quant strategies and ZVT backtest pipelines (trading execution, MACD, ZVT recorders) which are unrelated. The included seed.yaml/refs mostly reference opensanctions components, but the top-level runtime instructions and many 'use cases' are for trading — this is a strong mismatch between declared purpose and the agent instructions.
!
Instruction Scope
SKILL.md instructs the agent to run scripts/install.sh and to follow a long seed.yaml-driven execution protocol that mandates re-reading seed.yaml and invoking preconditions (some of which run zvt CLI commands and check ZVT_HOME). Those instructions reference reading many local files and enforcing domain-specific 'semantic locks'. The instructions go beyond simple sanctions ETL: they include trading/backtest preconditions and require reading workspace files (references/seed.yaml and many large reference documents). This broad, mixed instruction set grants the agent wide discretion to read many local project files and to run arbitrary python CLI checks unrelated to sanctions functionality.
Install Mechanism
No packaged install spec (instruction-only), but there is scripts/install.sh which pip-installs a list of packages (followthemoney, nomenklatura, plyvel, rigour, datapatch, banal, lxml, requests[security], orjson, sqlalchemy[mypy]). These packages are typical for OpenSanctions-style tooling and come from PyPI (no custom URL downloads). Using pip is normal; risk is moderate and confined to standard package installs—run in an isolated environment if you proceed.
!
Credentials
Declared requirements list no environment variables, but SKILL.md and seed.yaml preconditions reference ZVT_HOME and expect a ZVT installation and Python checks. SKILL.md also states 'Requires Python 3.12+ with uv package manager' but the install script uses pip and doesn't enforce Python 3.12. The skill therefore references environment variables and host state that are not declared, which is incoherent and could cause the agent to probe or expect unrelated credentials/config paths.
Persistence & Privilege
always:false (good). The skill is instruction-heavy and its seed.yaml execution_protocol tells the agent to re-load seed.yaml and a set of reference files before decisions — this encourages repeated reading of many local files but does not request permanent 'always' inclusion or change other skills' configs. Still, the agent would be instructed to read a large corpus of local project files (seed.yaml, references/*), increasing the surface area for accidental data exposure; exercise caution.
What to consider before installing
This skill is internally inconsistent: its name and some reference files suggest an OpenSanctions ETL/watchlist tool, but the SKILL.md/human_summary are about ZVT A-share trading/backtesting. Before installing: (1) Ask the publisher to explain the mismatch and provide an authoritative source/homepage; (2) if you must try it, run scripts/install.sh only inside an isolated virtualenv or disposable container (do not run on a sensitive host); (3) inspect seed.yaml and SKILL.md fully — the skill instructs the agent to read many local files and to run zvt-related precondition checks that may probe ZVT_HOME and run Python CLI commands; (4) confirm required Python version and why the install script uses pip rather than the declared 'uv' manager; (5) avoid granting any secrets or system-wide env changes until the purpose/contents are clarified. If the publisher cannot explain the purpose mismatch, prefer not to install.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk9742e3tvtg5ghewk7grak1g6x85caq6financevk9742e3tvtg5ghewk7grak1g6x85caq6latestvk9742e3tvtg5ghewk7grak1g6x85caq6
28downloads
0stars
1versions
Updated 10h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

opensanctions-watchlist

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (60 total)

Dataset Crawling (ETL) (UC-101)

Automates the extraction, transformation, and loading of data from external sources into the OpenSanctions data store with optional validation and dat Triggers: crawl, extract, load

Wikidata Updates Review (UC-103)

Interactively reviews and applies Wikidata updates to OpenSanctions datasets, allowing manual curation of proposed entity matches Triggers: wikidata, update, review

Database Statement Loading (UC-104)

Loads dataset statements from the archive into a SQL database for querying and analysis, with configurable batch sizes Triggers: load, database, sql

For all 60 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (15 total)

  • AP-REGTECH-001: Missing attribute initialization on data structures
  • AP-REGTECH-002: Self-loops in transaction graphs violate domain rules
  • AP-REGTECH-003: Unvalidated floating-point inputs cause runtime crashes

All 15 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-071. Evidence verify ratio = 26.8% and audit fail total = 35. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md15 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-071 blueprint at 2026-04-22T13:00:25.342470+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...