金融分析技能
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local financial backtesting and reporting skill with no evidenced exfiltration or destructive behavior, but users should review its local file paths, optional API key mention, and package install steps.
Before installing, use a virtual environment, verify the Python packages and source, run the script with explicit CSV and output paths, avoid sharing generated reports if they contain private financial data or local paths, and only provide an Alpha Vantage key if you confirm that feature is actually needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the default or an incorrect path, the skill may read local market data and generate files containing analysis results and path information.
The CLI reads a local CSV path and writes analysis output. This matches the stated backtesting purpose, but it can access local financial data and create files wherever the user points it.
default=r'C:\\Users\\wu_zhuoran\\.openclaw\\workspace\\data\\marketdata.csv' ... parser.add_argument('--output', type=str, default='./backtest_output') ... result = skill.run_backtest(args.csv, args.output)Run it with an explicit CSV path and output directory, and review generated reports before sharing them.
Installing packages directly from package indexes can pull changing dependency versions or packages from sources the user has not reviewed.
The install guidance uses unpinned third-party Python packages. This is normal for a Python analytics skill, but dependency provenance and versions are not locked.
pip install yfinance pandas numpy matplotlib seaborn plotly
Install in a virtual environment, verify package names, and pin versions if reproducibility or supply-chain control matters.
A user might provide a market-data API key even though the registry does not declare it as required.
The documentation mentions an optional provider API key, while the registry metadata declares no primary credential or required environment variables. The credential is purpose-aligned for market data, and no leakage or unrelated use is evidenced.
需要配置API密钥(如使用Alpha Vantage):- ALPHA_VANTAGE_API_KEY=your_key_here
Only set provider API keys when you actually use that data source, keep them out of prompts and shared reports, and prefer least-privilege/free-tier keys.
Users may expect broader live data integrations than the provided artifacts clearly show.
The documentation advertises several external data providers, but the shown manifest and visible code primarily support local CSV-based analysis. This looks like capability overstatement rather than malicious behavior.
数据源 - Yahoo Finance (通过yfinance库) - Alpha Vantage (免费API) - Finnhub (免费层) - CSV文件
Verify which data sources are actually implemented before relying on the skill or providing API keys.