Quantlib Derivatives
Security checks across malware telemetry and agentic risk
Overview
The skill is advertised as QuantLib derivatives pricing, but its own instructions pivot into ZVT market-data, backtesting, and trading workflows with broker/paid-provider hooks and under-declared setup.
Install only if you actually want a ZVT-style quant strategy/backtesting/trading assistant, not just a QuantLib pricing reference. Do not connect broker or paid data-provider accounts until the skill clearly documents credentials, approval gates, and whether actions are paper/backtest or live. Run any setup in a sandbox, review generated code before execution, and require explicit confirmation for any order-generating workflow.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a pricing/reference helper could instead get strategy, data-fetch, and trading workflow guidance.
This human-facing summary describes a ZVT quant-strategy/backtesting assistant, not the advertised QuantLib derivatives-pricing skill, creating a material purpose mismatch.
I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow.
Rename or split the skill, and clearly disclose whether it is for QuantLib pricing, ZVT strategy/backtesting, live trading, or some combination.
If connected to a broker or live trading environment, generated or executed workflows could affect real financial positions.
The reference rules contain concrete buy/sell and order-sizing semantics, but the artifacts do not define a simulation-only boundary or an explicit human approval gate for live financial actions.
Execute sell orders before buy orders in every trading cycle ... TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amount
Require explicit user confirmation for any broker-connected or order-generating action, default to paper/backtest mode, and clearly label live-trading paths.
Users may be prompted into account-backed or broker-backed workflows without clear guidance on what credentials or account authority the agent will use.
The skill invites use of paid/account and broker providers, while the registry declares no primary credential or environment-variable contract, leaving account and broker permission boundaries unclear.
Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
Declare required credentials/configuration, document supported providers, and separate read-only market-data access from broker/order access.
Users may install and run an unexpected financial framework and local initialization commands that were not surfaced in the registry install requirements.
The skill is registered as having no install spec, but the included preconditions direct installation and initialization of the zvt package, an undeclared dependency that also differs from the QuantLib-focused description.
on_fail: Run: python3 -m pip install zvt then re-run: python3 -m zvt.init_dirs
Move dependency installation into a clear install spec, pin or document the package source/version, and align dependencies with the stated skill purpose.
The agent may spend context on and follow the bundled reference material even when the user expected a narrower pricing helper.
The skill strongly elevates its own seed file as authoritative context before business decisions; this can be reasonable for a reference-heavy skill, but users should notice that it broadens the skill's influence over agent behavior.
On any behavioral decision ... agents MUST re-read seed.yaml ... Before answering any business question, the host MUST read them in order
Keep reference-loading scoped to relevant user requests and avoid treating bundled guidance as overriding explicit user intent or safety checks.