Vibe Trading
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a coherent finance research toolkit, but it relies on an external package and can process sensitive trading data or optional account credentials.
This looks purpose-aligned rather than malicious. Before installing, verify the `vibe-trading-ai` package, use a virtual environment, avoid unnecessary credentials, prefer read-only broker/data access, and keep broker exports and generated reports private. Treat all research and backtest results as informational, not automatic trading instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill runs code from a package that was not included in this artifact review.
The reviewed skill has no code files, so the actual MCP implementation comes from an external PyPI package. This is a normal install pattern for this kind of skill, but users should verify the package source before installing.
pip install vibe-trading-ai ... `vibe-trading-mcp` | Start MCP server
Install only from the expected PyPI package, review the package/version if possible, and use a virtual environment.
Providing these credentials could expose market-data tokens, LLM billing access, or broker-account access to the installed package.
The skill may use optional finance/API credentials and mentions optional broker login. These are relevant to market data and LLM swarm features, but they still involve sensitive account authority.
China A-share data | `TUSHARE_TOKEN` ... Multi-agent swarm (`run_swarm`) | `OPENAI_API_KEY` ... HK & A-share equities via Futu (broker login required, optional)
Use the minimum credentials needed, prefer read-only or sandbox broker access, and avoid entering broker credentials unless you need the Futu data feature.
Sensitive prompts or financial research supplied to swarm workflows may be processed by multiple model workers and the configured LLM provider.
The swarm feature intentionally creates internal LLM worker agents using an OpenAI-compatible provider. This is disclosed and purpose-aligned, but users should understand that task context may be shared with those workers/provider.
Multi-agent swarm (`run_swarm`) ... Swarm spawns internal LLM workers
Do not use swarm mode with confidential broker exports or private portfolio details unless you are comfortable sending that context to the configured model provider.
Trade journals and generated reports may reveal positions, trading habits, profits/losses, and strategy behavior.
The Shadow Account workflow processes broker-export data, derives trading rules, and creates reports. This is central to the product, but those derived summaries and reports can contain sensitive financial history.
Feed a CSV broker export ... `analyze_trade_journal` ... `extract_shadow_strategy` ... `render_shadow_report` — produce an HTML/PDF report
Use only intended broker-export files, store generated reports securely, and avoid sharing outputs publicly unless they are sanitized.
A mistaken or unsafe generated strategy/configuration could affect local files or produce misleading research results.
The documented workflow includes file creation and running backtests from generated strategy files. That is expected for a backtesting toolkit, but users should review generated code/configuration before running it.
Use `write_file()` to create `config.json` and `code/signal_engine.py` ... Use `backtest()` to run
Keep work in a dedicated project directory, review generated files, and avoid treating backtest output as trading advice without independent validation.