Qlib Ai Quant
PassAudited by ClawScan on May 10, 2026.
Overview
The artifacts show a user-directed quant/backtesting helper, with setup and credential cautions but no evidence of hidden exfiltration or destructive behavior.
Before installing or using this skill, decide whether the ZVT-based setup matches your expectation for a Qlib-branded quant tool. Use a virtual environment, pin package versions, avoid sharing broker or paid-provider credentials unless needed, and treat generated backtests as research—not trading instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could install and initialize a local quant package they did not expect from the skill name or registry install metadata.
The skill has no declared install spec, but its setup guidance includes installing an unpinned Python package, and the package named here is ZVT rather than the advertised Qlib stack.
`PC-01`: ... on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Confirm whether you want a ZVT-based or Qlib-based workflow, run setup only in a virtual environment, and pin/review package versions before installing.
Running the suggested recorder may contact market-data providers and populate local data stores.
The skill documents local Python module execution for data-recorder setup. This is expected for market-data backtesting, but it still runs local package code and may fetch/write data.
`PC-02`: ... on_fail: Run recorder first: python3 -m zvt.recorders.em.em_stock_kdata_recorder --entity_ids stock_sh_600000
Run recorder commands only after selecting the intended symbols and data provider, and review provider limits, costs, and output locations.
If you choose paid or broker providers, mishandled credentials could expose account access or enable unintended financial-system interactions.
The skill may involve paid provider accounts or broker-related access, which can require credentials or delegated account authority, although the artifacts do not show credential collection, storage, or leakage.
Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
Use read-only or sandbox credentials where possible, do not provide broker secrets unless live access is truly intended, and confirm commands are for backtesting rather than real trading.