Qc Deep Feature Forensics
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its advertised trading-analysis purpose, but a crafted orders CSV could make its cache read or write CSV files outside the intended cache folder.
Review or fix the cache filename handling before running this on untrusted order exports. Use a virtual environment, install dependencies from trusted sources, run the script in a dedicated folder, and remember that first-run Yahoo Finance requests disclose ticker/date-interest while generated reports may contain sensitive trading information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on a malicious or malformed orders CSV, the script could create, overwrite, or read .csv files outside its intended cache folder.
The ticker used in the cache filename comes from the orders CSV symbol field and is joined into a filesystem path without visible sanitization or a realpath check. A malformed symbol containing path separators could cause reads or writes outside the intended yfinance_cache directory.
self.df['underlying'] = self.df['symbol'].apply(self._get_underlying) ... cache_file = os.path.join(self.cache_dir, f"{ticker}.csv") ... cached = pd.read_csv(cache_file) ... data.to_csv(cache_file, index=False)Sanitize ticker-derived filenames with a strict allowlist, reject path separators, and verify the resolved cache path remains inside yfinance_cache. Until fixed, run only on trusted CSVs in an isolated directory.
Installing the dependencies may fetch newer package versions with behavior different from what the author tested.
The skill depends on third-party Python packages with lower-bound version ranges rather than pinned, reproducible versions. This is normal for many Python tools but leaves dependency resolution to the install environment.
pandas>=1.5.0 numpy>=1.23.0 yfinance>=0.2.30
Install in a virtual environment and consider pinning or reviewing exact dependency versions before use.
Generated files may reveal your trading history, P&L patterns, or strategy signals if stored or shared carelessly.
The skill persists derived trade features and diagnostic reports locally. This is expected for the analysis purpose, but the outputs may contain sensitive trading-performance information.
`<name>_features.csv` — Full feature matrix for all trades `feature_diagnosis.md` — Complete markdown report
Keep the output directory private, avoid committing generated reports to shared repositories, and delete outputs when no longer needed.