ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rotki Crypto Tracker

v0.3.3

实现自托管式加密货币投资组合追踪,自动聚合多交易所和链上钱包资产,实时计算持仓损益并生成税务报告。

0· 79·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/rotki-crypto-tracker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Rotki Crypto Tracker" (tangweigang-jpg/rotki-crypto-tracker) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/rotki-crypto-tracker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install tangweigang-jpg/rotki-crypto-tracker

ClawHub CLI

Package manager switcher

npx clawhub@latest install rotki-crypto-tracker
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a self-hosted crypto portfolio tracker (Rotki-like). The SKILL.md and included files, however, are a blended blueprint that repeatedly references ZVT, A-share quant backtests, Sphinx docs, and pipelines for backtesting rather than a pure portfolio tracker. Metadata also claims 'Requires Python 3.12+ with uv package manager' but the skill declares no required binaries, packages, or environment variables. This mismatch suggests the declared purpose does not fully explain the skill's actual responsibilities.
!
Instruction Scope
SKILL.md and seed.yaml instruct the agent to re-read seed.yaml, run precondition checks (python -c 'import zvt' / run zvt recorders), verify and install packages, and touch/verify host filesystem paths (~/.zvt, host_workspace paths). Those runtime instructions ask the agent to run host commands and access filesystem locations even though the skill's metadata declares no config paths or required env vars. The instructions also embed strict 'semantic locks' for trading that would drive execution logic; this gives the skill broad discretion over trading/backtest behavior beyond a simple read-only tracker.
Install Mechanism
There is no install spec and no code files (instruction-only), which reduces direct install risk. However the seed.yaml execution_protocol and SKILL.md expect the host agent to run install/verification steps at runtime (pip install zvt, host_adapter.install_recipes[]), so while nothing is bundled, the instructions implicitly require installing external packages — the install burden is deferred to the host and is not declared explicitly.
!
Credentials
The skill declares no required environment variables or credentials, yet the content references exchange integrations, blockchain RPCs, and ZVT recorders — features that normally require API keys, RPC endpoints, and writable data directories. The absence of declared credentials (API keys, node URLs, ZVT_HOME) is disproportionate and makes it unclear how the skill expects to access external accounts or on‑chain data. Also the included anti-patterns warn about bypassing API facades and other high‑risk behaviors, but no safeguards or required env declarations are present.
Persistence & Privilege
always:false (good). Autonomous invocation is allowed (platform default). The skill's seed.yaml and SKILL.md instruct the agent to write/read host_workspace and data directories and to run precondition fixes (pip install, init dirs). That implies it expects to modify local workspace state during execution — not an elevated privilege by itself, but you should treat runtime installs/FS writes as potentially impactful and run in an isolated/test environment.
What to consider before installing
This skill is inconsistent and incomplete: it claims to be a Rotki-like crypto tracker but its instructions and reference files are heavily mixed with ZVT/A-share backtest material and expect the agent to run Python checks, install packages, and write to local data dirs while declaring no required credentials or install steps. Before installing or running it: 1) ask the publisher for the source code or an authoritative homepage; 2) require the skill to explicitly declare any env vars/credentials (exchange API keys, RPC endpoints, ZVT_HOME) and justify each; 3) run it first in a fully isolated environment (VM/container) without real API keys; 4) verify whether it will call external endpoints or bypass REST API facades (the anti-pattern AP-CRYPTO-TRADING-003 appears in its docs); and 5) if you plan to connect exchange/wallet keys, audit the code that performs API calls and any filesystem writes. If the vendor cannot provide a clear, coherent mapping from claimed purpose → required credentials → runtime actions, treat the skill as risky and avoid granting real secrets or persistent installation.

Like a lobster shell, security has layers — review code before you run it.

cryptovk971rgs8x04097g0evnem80k2s85cegndoramagic-crystalvk971rgs8x04097g0evnem80k2s85cegnfinancevk971rgs8x04097g0evnem80k2s85cegnlatestvk971rgs8x04097g0evnem80k2s85cegnportfoliovk971rgs8x04097g0evnem80k2s85cegn
79downloads
0stars
3versions
Updated 3d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
cryptodoramagic-crystalfinancelatestportfolio
Download

Rotki 加密追踪 (rotki-crypto-tracker)

实现自托管式加密货币投资组合追踪,自动聚合多交易所和链上钱包资产,实时计算持仓损益并生成税务报告。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (1 total)

Sphinx Documentation Configuration (UC-101)

Configure Sphinx documentation builder settings for the rotki project including version, author, and extension modules Triggers: documentation, sphinx, configuration

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (13 total)

  • AP-CRYPTO-TRADING-001: Float Arithmetic for Monetary Values
  • AP-CRYPTO-TRADING-002: Missing Market Initialization Before Access
  • AP-CRYPTO-TRADING-003: Bypassing API Facade Layer

All 13 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-095. Evidence verify ratio = 47.0% and audit fail total = 36. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md13 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-095 blueprint at 2026-04-22T13:00:41.524812+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...