Pandas Ta Indicators
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill is not clearly malicious, but it advertises indicator analysis while its instructions expand into ZVT data fetching, backtesting, and possible trading or broker workflows.
Install only if you want a broader ZVT quant-analysis/backtesting assistant, not merely pandas-ta indicator documentation. Use a sandbox or virtual environment, pin dependencies, keep broker credentials out unless absolutely necessary, and require explicit confirmation before any live trading or account-connected action.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a technical-indicator helper may unintentionally rely on a broader quant-trading workflow.
The same artifact frames the skill as indicator calculation/visualization but expands the workflow to data storage, target selection, and trading execution, which is a broader and higher-impact purpose.
description: 基于 pandas-ta 库计算技术分析指标... Pipeline `data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization`
Treat this as a ZVT/backtesting/trading-assistant skill, not just a pandas-ta indicator skill; avoid live trading unless the workflow is explicitly reviewed and confirmed.
The agent could treat user requests to run or backtest as permission to perform broader financial workflow steps than the user intended.
The instructions define execution triggers and include order-sequencing rules, but do not clearly separate simulated backtests from live trading or require explicit approval before any broker/order-related action.
**Execute trigger**: `When user intent matches ... run/execute/跑/执行/backtest/fetch/collect` ... `SL-01` | Execute sell orders before buy orders in every trading cycle
Require explicit user confirmation for each external data fetch, account connection, and any live-order or broker-related action; default to offline analysis or paper trading.
Installing an unpinned package can introduce dependency or provenance risk.
A referenced setup path installs an unpinned external package even though the registry lists no install spec; this is not inherently malicious, but users should verify the package and version.
PC-01: `python3 -c 'import zvt; print(zvt.__version__)'` → on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Pin and verify the ZVT package version before installing, preferably in an isolated virtual environment.
Local commands may download data, initialize files, or modify permissions in the user's home directory.
The reference instructions include local Python module execution and permission-changing setup commands. These are expected for ZVT data setup, but they should be user-reviewed before running.
PC-02 ... on_fail: Run recorder first: python3 -m zvt.recorders.em.em_stock_kdata_recorder --entity_ids stock_sh_600000 ... PC-04 ... chmod u+w ~/.zvt
Run these commands only after reviewing them, and use a project-specific ZVT_HOME or sandboxed environment where possible.
Connecting paid data or broker services could expose account authority or enable higher-impact financial actions.
The skill may ask the user to choose account-based or broker-backed providers, while the registry declares no credentials. The artifacts do not show credential theft or logging, but broker/account use is sensitive.
Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
Do not provide broker or paid-provider credentials unless the exact scope, storage, and action limits are clear; prefer read-only data sources for analysis.