ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

p2p-lending-data

v0.3.0

验证 Frappe Lending 贷款模块核心流程,包括贷款申请创建、放款计划生成、还款处理及结清退款的自动化测试能力。触发场景:(1) 用户要测试贷款申请流程能否正确创建草稿贷款并配置利率;(2) 用户要验证放款后还款计划生成及宽限期利息计算;(3) 用户要测试共同贷款伙伴配置下的分成逻辑。

0· 28·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description claim: validate Frappe Lending loan-module flows. However SKILL.md and human_summary predominantly describe a ZVT backtesting/data pipeline (A-share trading, recorders, MACD, etc.). The repository also contains many lending-related reference files (components, use cases, seed.yaml) but the top-level runtime text is inconsistent. This mixing of two different domains (Frappe lending vs. ZVT trading/backtest) is incoherent: an author of a lending-test skill would not normally include ZVT preconditions/questions.
!
Instruction Scope
Runtime instructions tell the agent to run scripts/install.sh (which pip-installs many packages) and seed.yaml's execution_protocol requires re-reading seed.yaml and running preconditions. Several preconditions reference ZVT (python checks importing zvt, running recorders, and checking ZVT_HOME environment variable). Those environment checks are not declared in requires.env and are unrelated to the stated Frappe lending testing purpose. The SKILL.md also asks user questions about data sources and markets (eastmoney, joinquant) which implies external network calls and potential need for provider credentials, but none are declared. Overall the instruction set requests access to local paths and env vars outside the declared scope and mixes unrelated tasks.
Install Mechanism
No formal install spec in registry, but scripts/install.sh (included) pip-installs multiple packages from PyPI (frappe, erpnext, payments, pypika, flake8, semgrep, wkhtmltopdf, frappe-bench, etc.). Installing from PyPI is a common pattern but still executes arbitrary third-party code downloaded at runtime. There are no opaque URLs or archive extracts, but the install list is large and includes packages that may have system prerequisites (wkhtmltopdf typically expects a system binary). Consider running the install in an isolated environment/container.
!
Credentials
Registry metadata declares no required env vars or credentials, but SKILL.md/seed.yaml preconditions reference ZVT_HOME and require importing zvt and running recorders (which may require provider accounts). The skill also implicitly references external data providers (eastmoney, joinquant, akshare, qmt) where accounts/keys may be needed. Access to ZVT_HOME (read/write) and potential recorder runs are not declared, so the environment/credential surface is under-specified and disproportionate to the declared 'no env vars' requirement.
Persistence & Privilege
The skill is not marked always:true and doesn't request special platform privileges. The included install script and seed.yaml direct installing packages and reading/writing host workspace paths (scripts_path, skills_path), which is normal for an installable skill. There is no evidence it modifies other skills or system-wide agent settings beyond its own files.
What to consider before installing
What to consider before installing: - Incoherent purpose: The skill claims to test Frappe/ERPNext lending flows but the top-level content repeatedly references ZVT backtesting and recorder checks. Ask the author which domain this skill targets and request a corrected SKILL.md that matches the intended purpose. - Inspect install.sh: It pip-installs many packages from PyPI (frappe, erpnext, payments, pypika, semgrep, wkhtmltopdf, etc.). Run this script only inside a disposable virtualenv or container to avoid contaminating your system. - Environment/credentials: Although the registry lists no required env vars, SKILL.md/seed.yaml preconditions read ZVT_HOME and import zvt; the skill may attempt to read/write ~/.zvt or run data recorders that contact external providers. Confirm whether you must provide provider credentials (eastmoney/joinquant) and whether ZVT usage is intentional. - Run in sandbox first: Because the package list is large and the skill's instructions perform filesystem and Python import checks, test it in an isolated VM/container and review logs before granting it broader access. - What would change this assessment: a clean SKILL.md aligned with the Frappe lending test purpose (or, alternatively, a clarified description that the skill is for ZVT/backtesting), removal or explicit declaration of ZVT-related preconditions and any required provider credentials, and a smaller, well-justified install list. If the maintainer confirms the mixed content was accidental, treat this as a mispackaged skill rather than malicious.

Like a lobster shell, security has layers — review code before you run it.

doramagic-crystalvk97447kch7shpqek45zgm401v185dd7afinancevk97447kch7shpqek45zgm401v185dd7alatestvk97447kch7shpqek45zgm401v185dd7a
28downloads
0stars
1versions
Updated 10h ago
v0.3.0
MIT-0
Tang Weigang@tangweigang-jpg
doramagic-crystalfinancelatest
Download

p2p-lending-data

I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (18 total)

Test Infrastructure Setup for Lending Module (UC-101)

Provides shared test utilities and setup functions needed by each lending module tests, including master initialization, loan product creation, and cu Triggers: test setup, lending test utils, test infrastructure

Loan Refund and Closure Testing (UC-102)

Tests the loan closure process when a borrower requests a refund of excess amounts after repaying the loan Triggers: loan refund, loan closure, excess amount refund

Loan Application Creation Testing (UC-103)

Tests the creation and processing of loan applications including rate of interest configuration and applicant details Triggers: loan application, loan request, apply for loan

For all 18 use cases, see references/USE_CASES.md.

Install

# One-time setup before first use
bash scripts/install.sh

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (14 total)

  • AP-CREDIT-RISK-001: Empty DataFrame passed to bucketing pipeline
  • AP-CREDIT-RISK-002: Multi-dimensional target array causing WoE shape mismatch
  • AP-CREDIT-RISK-003: OptimalBucketer receiving high-cardinality numerical features

All 14 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-072. Evidence verify ratio = 69.5% and audit fail total = 24. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md14 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-072 blueprint at 2026-04-22T13:00:26.108289+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...