Back to skill
Skillv1.0.2
ClawScan security
投资组合分析技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 12:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: offline risk‑parity/backtest analysis on local CSVs; requested footprint (no env vars, no installers, no network calls in code) is consistent with its purpose, with only minor documentation leftovers to check.
- Guidance
- This skill appears coherent and local-only, but take these precautions before installing or running it: - Run it first in an isolated/sandbox environment and monitor network traffic to confirm no outbound connections occur. - Inspect and, if desired, change the default CSV path in optimized_main.py to avoid accidental reads of developer-specific paths. - Note a minor docs inconsistency: SKILL.md lists 'pip install yfinance ...' while other docs and the code do not import yfinance; remove yfinance from install instructions unless you intend to use it. - Review output directory settings to ensure results are written to an intended location (avoid writing into sensitive system folders). - If you will supply real/secret financial files, ensure they are stored/processed according to your data-handling policies.
Review Dimensions
- Purpose & Capability
- okName/description match the actual code and files: the package implements rolling-window risk-parity analysis, backtest and local report/chart generation. It does not request unrelated credentials or binaries.
- Instruction Scope
- noteRuntime instructions restrict the skill to local CSV input and local outputs. The only caveats are documentation references to a default, user-specific CSV path (C:\Users\wu_zhuoran\.openclaw\workspace\data\marketdata.csv) which is a leftover dev default and should be changed; otherwise instructions do not instruct access to unrelated system files or network endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only + bundled code). No downloads from external URLs or extraction steps. Dependency lists are standard Python libs (pandas/numpy/matplotlib/seaborn).
- Credentials
- okThe skill declares no required environment variables or credentials. The code reads a CSV and writes outputs only; this is proportionate for a local backtest tool.
- Persistence & Privilege
- okSkill does not request always:true and does not modify other skills or system configurations. It only reads a provided CSV path and writes output files to the output directory.