Back to skill
Skillv0.3.3
ClawScan security
Xalpha Fund Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 2:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a fund/portfolio analytics helper: it is instruction-only, asks for no secrets, and its runtime checks/install hints (zvt, writable ZVT_HOME) match the described purpose.
- Guidance
- This skill appears to be what it claims: an instruction-only finance/backtest helper built around the ZVT ecosystem. Before installing/running: (1) Confirm you have Python 3.12+ and are comfortable letting the agent run the precondition Python checks it lists; (2) expect it to create/use a data directory (ZVT_HOME default: ~/.zvt) and to run recorders that will fetch data from external providers — use a container or isolated environment if you want to limit filesystem/network impact; (3) do not supply unrelated credentials — paid data providers (joinquant/qmt) require separate API keys you should only provide if you trust them; (4) review references/seed.yaml and LOCKS.md if you need to verify fatal constraints (they require strict execution semantics, e.g., no look-ahead). Overall coherent, but exercise normal caution when allowing runtime Python execution and network access.
Review Dimensions
- Purpose & Capability
- okName/description say 'fund portfolio analytics'; SKILL.md and reference files focus on backtest/data pipelines, ZVT integration, locks/anti-patterns and component docs. Requested capabilities and preconditions (Python/ZVT, writable ZVT_HOME, recorders for data fetch) are proportionate to a quantitative fund tool.
- Instruction Scope
- noteSKILL.md instructs the agent to run Python checks and recorders (e.g., python3 -c 'import zvt' and zvt recorders), to re-read seed.yaml before behavior, and to use local data directories (~/.zvt by default). These are expected for a backtest/data pipeline but mean the agent will run arbitrary Python snippets and may create/write files locally; review the precondition commands before granting execution.
- Install Mechanism
- okNo install spec or bundled code is included (instruction-only). The SKILL.md refers to installing zvt via pip if preconditions fail—standard package installation, not an opaque download. No remote/executable archives or unknown URLs are referenced in install steps.
- Credentials
- noteThe skill declares no required environment variables or credentials. The runtime preconditions reference ZVT_HOME (optional) and may prompt creating/using ~/.zvt. Data providers (eastmoney/joinquant/akshare/qmt) are selectable and some require separate accounts/keys — those are not requested by the skill but will be needed if you choose paid providers.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed by platform default. The skill will create/use its own data directory (~/.zvt) and run recorders, but it does not request persistent platform-level privileges or modify other skills' configs.