Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Publish
v0.2.3Professional finance research toolkit — backtesting, factor analysis, options pricing, 64 finance skills, and 29 multi-agent swarm teams across 3 markets (A-...
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and runtime instructions align: this is a finance toolkit that requires installing a Python package (vibe-trading-ai) and exposes MCP tools for backtesting, data fetch, file I/O, and multi‑agent swarms. The optional env vars (TUSHARE_TOKEN, OPENAI_API_KEY, LANGCHAIN_MODEL_NAME) map to the features that need them (A‑share data, multi‑agent LLM runs).
Instruction Scope
SKILL.md directs the agent to list/load skills, read/write files, fetch web pages, OCR PDFs, run backtests, and launch multi‑agent swarms. Those actions are consistent with a research toolkit, but write_file + backtest + run_swarm means the package (or the agent via MCP) can create and execute arbitrary code and will send data to external LLM providers when run_swarm is used. The instructions do not ask for unrelated system paths or other credentials.
Install Mechanism
There is no platform install spec — the SKILL.md instructs the user to pip install vibe-trading-ai from PyPI. Installing third‑party Python packages is common but can run arbitrary code at install time and grants the package CLIs (vibe-trading, vibe-trading-mcp) that may start servers. The registry bundle itself contains no code to audit, so the actual runtime behavior depends entirely on an external package of unknown provenance.
Credentials
Only optional env vars are declared and they are reasonable for the features described. Important caveat: enabling run_swarm requires an OpenAI‑compatible key and model name and will send data to an external LLM provider — that creates a real risk of leaking sensitive inputs or research data to third‑party APIs if used without caution.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It asks the user to add an MCP server entry which lets the agent run the vibe-trading-mcp command; this is expected for tools that expose long‑running backends, but starting a server on your system should be considered an operational action (examine what the MCP binary does before running).
What to consider before installing
This skill is coherent for finance research, but you should not blindly pip install and run its server. Steps to reduce risk: 1) Inspect the PyPI project page and source repository (if present) for vibe-trading-ai before installing. 2) Install and test inside an isolated environment or sandbox (separate VM/conda/venv) to limit impact. 3) Don't provide OPENAI_API_KEY or sensitive data to run_swarm unless you trust the package and understand what data will be sent to the LLM provider. 4) If you must use it, limit API key scope and monitor network activity while first running the MCP server. 5) Prefer running backtests on non‑sensitive sample data until you audit the package's code or maintainers. If you cannot find a reputable source repository or maintainer info for the package, treat the install as high risk.Like a lobster shell, security has layers — review code before you run it.
backtestvk972dkdywp7tv2xs4h49pcwp9983z9tafinancevk972dkdywp7tv2xs4h49pcwp9983z9talatestvk97fy93pebjmzxb05gdt1ey5a9841hedmcpvk972dkdywp7tv2xs4h49pcwp9983z9taswarmvk972dkdywp7tv2xs4h49pcwp9983z9tatradingvk972dkdywp7tv2xs4h49pcwp9983z9ta
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
TUSHARE_TOKENoptional— Tushare API token for China A-share data (optional — HK/US/crypto work without any key)OPENAI_API_KEYoptional— OpenAI-compatible API key — only needed for run_swarm (multi-agent teams). All other 15 tools work without it.LANGCHAIN_MODEL_NAMEoptional— LLM model name for run_swarm (e.g. deepseek/deepseek-v3.2). Only needed if using run_swarm.