robo-advisor-python
v0.3.0自动化投资组合再平衡与交易执行,遵循先卖后买原则,支持多市场资产配置,智能计算最低交易规模及税费。 触发场景:(1) 用户要设置投资组合自动再平衡策略;(2) 用户要计算大规模调仓的交易成本和赎回费用;(3) 用户要按照优先级执行组合调整并规避税费风险。
⭐ 0· 15·0 current·0 all-time
byTang Weigang@tangweigang-jpg
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description and components explicitly mention trade execution (placeOrder, Trade.buy/Trade.sell) and '执行组合调整', which normally requires broker/API credentials and/or connectivity. Yet the registry metadata declares no required environment variables, no credential needs, and the install script does not install a trading/broker client. This is an incoherence: either the skill only generates code/backtests (no live execution) or it expects out-of-band credentials/installation. The SKILL.md also references ZVT as a required framework, but the provided install.sh does not install zvt — another mismatch.
Instruction Scope
Runtime instructions focus on data pipeline and backtest steps and include precondition checks that run small python commands (zvt import, get_kdata) and check ZVT_HOME and write permissions. These preconditions touch the local filesystem and import environment, which is expected for a data/backtest skill. The SKILL.md does not instruct exfiltration or contacting unknown endpoints. However the execution_protocol and seed.yaml instructions require the host to 're-read seed.yaml' and to run preconditions; that raises the surface area of what the agent will inspect locally (filesystem and installed packages).
Install Mechanism
There is no registry-level install spec, but an included scripts/install.sh uses pip to install packages from PyPI (pandas, numpy, matplotlib, requests, scipy, scikit-learn, pytest). This is a common, traceable install path (moderate risk). Minor issues: scikit-learn is requested with a non-strict operator ('>1.4.2') which may pull a newer major version unexpectedly; the script does not install the declared required framework 'zvt' even though preconditions require it.
Credentials
The skill requests no environment variables or credentials despite claiming live trading/execution functionality. Live trading normally requires broker API keys, account tokens, or at least documented credentials — their absence is a notable omission. The preconditions reference ZVT_HOME and require writable directories, so the skill will read/write local config/data paths, but there's no declaration of needing broker credentials or external service tokens (joinquant/broker/eastmoney API keys), which seems disproportionate to the stated execution capability.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide config changes in the files provided, and the install script only installs Python packages into the environment. Nothing in the manifest claims persistent privileged presence or automatic always-on inclusion.
What to consider before installing
Before installing or running this skill, consider the following:
- Clarify whether the skill will perform live order execution or only generate/backtest code. If you intend live execution, ask the author how broker/API credentials are supplied and where orders are sent — the skill currently declares no required credentials.
- The included install script installs Python packages from PyPI (pandas, numpy, matplotlib, requests, scipy, scikit-learn, pytest). Review these package versions for compatibility and security, and run the install in a controlled virtual environment (venv) or container.
- The SKILL.md and seed.yaml expect the ZVT framework but the install.sh does not install zvt; you will likely need to install and configure zvt separately and ensure ZVT_HOME is set and writable.
- The skill contains many domain constraints, semantic locks, and reference files (seed.yaml, LOCKS.md) that the agent expects to read; be aware the agent may inspect local files/directories when executing precondition checks.
- Because the skill uses financial logic and enforces fatal semantic locks, test everything in a sandbox/backtest environment with simulated orders before connecting any real accounts. Verify order placement logic and cost/tax handling against a small controlled trade set.
- The package is proprietary: check LICENSE.txt and provenance (source is unknown). If provenance matters, request source code/maintainer contact and review for any hidden network calls or unsolicited telemetry before granting network or credential access.Like a lobster shell, security has layers — review code before you run it.
doramagic-crystalfinancelatest
Tang Weigang@tangweigang-jpg
Downloadrobo-advisor-python
I help you build quant strategies on A-share with ZVT — from data fetch to backtest, one flow. Just tell me what you want; I'll write the code, you don't have to dig docs. (Heads up: ZVT natively supports A-share, HK, and crypto. US stocks — stockus_nasdaq_AAPL — are half-baked; don't bother for serious work.)
Pipeline
data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization
Top Use Cases (0 total)
Install
# One-time setup before first use
bash scripts/install.sh
Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)
What I'll Ask You
- Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
- Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
- Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
- Time range: start_timestamp and end_timestamp for backtest period
- Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?
Semantic Locks (Fatal)
| ID | Rule | On Violation |
|---|---|---|
SL-01 | Execute sell orders before buy orders in every trading cycle | halt |
SL-02 | Trading signals MUST use next-bar execution (no look-ahead) | halt |
SL-03 | Entity IDs MUST follow format entity_type_exchange_code | halt |
SL-04 | DataFrame index MUST be MultiIndex (entity_id, timestamp) | halt |
SL-05 | TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amount | halt |
SL-06 | filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTION | halt |
SL-07 | Transformer MUST run BEFORE Accumulator in factor pipeline | halt |
SL-08 | MACD parameters locked: fast=12, slow=26, signal=9 | halt |
Full lock definitions: references/LOCKS.md
Top Anti-Patterns (14 total)
AP-PORTFOLIO-ANALYTICS-001: Division by zero in price ratio calculations corrupts rebalancingAP-PORTFOLIO-ANALYTICS-002: Look-ahead bias from unshifted signal generation and position calculationsAP-PORTFOLIO-ANALYTICS-003: Non-positive-semidefinite covariance matrix breaks CVXPY optimization
All 14 anti-patterns: references/ANTI_PATTERNS.md
Evidence Quality Notice
[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-066. Evidence verify ratio = 72.7% and audit fail total = 20. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).
Reference Files
| File | Contents | When to Load |
|---|---|---|
| references/seed.yaml | V6+ 全量权威 (source-of-truth) | 有行为/决策争议时必读 |
| references/ANTI_PATTERNS.md | 14 条跨项目反模式 | 开始实现前 |
| references/WISDOM.md | 跨项目精华借鉴 | 架构决策时 |
| references/CONSTRAINTS.md | domain + fatal 约束 | 规则冲突时 |
| references/USE_CASES.md | 全量 KUC-* 业务场景 | 需要完整示例时 |
| references/LOCKS.md | SL-* + preconditions + hints | 生成回测/交易代码前 |
| references/COMPONENTS.md | AST 组件地图(按 module 拆分) | 查 API 时 |
Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-066 blueprint at 2026-04-22T13:00:21.762032+00:00.
See human_summary.md for non-technical overview.
Comments
Loading comments...