ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wyckoff Agent Skill

v1.0.1

Wyckoff A-share analysis agent with full CLI integration. Detects local CLI installation, guides users through setup (install → register → configure data sou...

0· 76·0 current·0 all-time
by@youngcan-wang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for youngcan-wang/wyckoff-agent-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wyckoff Agent Skill" (youngcan-wang/wyckoff-agent-skill) from ClawHub.
Skill page: https://clawhub.ai/youngcan-wang/wyckoff-agent-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wyckoff-agent-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install wyckoff-agent-skill
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Wyckoff A-share CLI-based analysis) matches the instructions: install/initialize a wyckoff CLI, configure data sources (Tushare/TickFlow), set an LLM model provider, and run analysis. Required capabilities (time, web fetch, CSV/image parsing, plotting) are coherent with the stated purpose.
!
Instruction Scope
SKILL.md explicitly instructs running CLI commands, performing online fetches, reading CSV/images, and persisting credentials. Those actions are relevant, but the instructions also direct the user/agent to run remote install commands and to persist login tokens automatically—operations that can write files and perform network auth without clarifying storage/encryption or verifying the install script contents.
!
Install Mechanism
The registry contains no formal install spec, but SKILL.md recommends 'pip install youngcan-wyckoff-analysis' and offers a one-line 'curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash'. Piping a remote raw script into bash is high risk unless the script and repository are vetted. The pip package and GitHub repo appear unverified/unknown in metadata (homepage/source unknown), increasing install risk.
Credentials
The skill expects users to configure service API keys (Tushare token, TickFlow API key) and model provider API keys (gemini/openai/claude). Those credentials are proportionate to the functionality. However, the skill does not declare env var requirements up front and documents that credentials are persisted to ~/.wyckoff/wyckoff.json and that automatic re-login can occur — this persistent local storage of secrets should be considered before installing.
!
Persistence & Privilege
always:false (no forced inclusion) and model invocation is allowed (normal). The skill's flow instructs storing tokens on disk and automatic re-login, which grants ongoing network/auth activity and persisted secrets on the host. Combined with the remote-install recommendation and unknown origin, this persistent behavior increases the blast radius if the installed CLI or its install script are malicious or compromised.
What to consider before installing
This skill's functionality (Wyckoff analysis via a CLI) is coherent, but exercise caution before installing or running commands it suggests: 1) Do not run the curl | bash one-liner unless you inspect the install.sh content in the GitHub repo and confirm the repo/author are trustworthy. 2) Prefer installing the package in an isolated environment (virtualenv, container) and inspect its code before running. 3) Be aware the CLI persists credentials to ~/.wyckoff/wyckoff.json and may auto-relogin; if you supply API keys or account passwords, consider using least-privilege keys or dedicated/test accounts. 4) Verify the pip package (youngcan-wyckoff-analysis) exists on PyPI and review its project homepage, code, and recent activity; absence of a homepage/source in the registry is a red flag. 5) If you need higher assurance, ask the publisher for the canonical repository, a vetted install artifact (PyPI release), and a copy of the install script for manual review — providing those would increase confidence and could move the assessment toward 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb30qxn2fsrhedwcsbdtb9185b2br
76downloads
0stars
1versions
Updated 6d ago
v1.0.1
MIT-0
@youngcan-wang
latest
Download

Wyckoff Trading Agent

This skill operates in two modes: Setup (Step 0) and Analysis (Steps 1–9). Step 0 runs only when prerequisites are missing; once everything is configured, jump directly to analysis.

Step 0: Environment Detection & Guided Setup

Run these checks in order. Stop at the first failure and guide the user to fix it before continuing.

0.1 CLI Installation Check

Run wyckoff --version.

  • Success → proceed to 0.2.
  • Failure → guide installation: 
    pip install youngcan-wyckoff-analysis
    Or one-line install: 
    curl -fsSL https://raw.githubusercontent.com/YoungCan-Wang/Wyckoff-Analysis/main/install.sh | bash
    After install, verify with wyckoff --version again.

0.2 Auth Check

Run wyckoff auth status.

  • Logged in → proceed to 0.3. (Credentials are auto-saved; token expiry triggers automatic re-login.)
  • Not logged in → guide registration and login:
    1. Tell user to open https://wyckoff-analysis-youngcanphoenix.streamlit.app/ to register an account.
    2. After registration, run: wyckoff auth login <email> <password> (credentials will be persisted, no need to login again).
    3. Verify with wyckoff auth status.

0.3 Data Source Check

Run wyckoff config show.

  • tushare_token present → OK.
  • tushare_token missing → guide:
    • Tushare token is free, get it from https://tushare.pro/ after registration.
    • Then run: wyckoff config tushare <token>
  • tickflow_api_key present → OK.
  • tickflow_api_key missing → guide:

Note: At least one data source (tushare or tickflow) must be configured. Both are recommended for better coverage.

0.4 Model Check

Run wyckoff model list.

  • Has models → proceed to Step 1.
  • No models → guide: wyckoff model add (interactive) or wyckoff model set <name> <provider> <api_key> --model <model_name>.

When all checks pass, print a brief summary and proceed to analysis.

CLI Operational Commands

When the user's intent is operational (not analysis), route directly to the appropriate CLI command instead of running the analysis pipeline:

IntentCommand
View portfoliowyckoff portfolio list
Add positionwyckoff portfolio add <code> <shares> <cost>
Remove positionwyckoff portfolio rm <code>
Set cashwyckoff portfolio cash <amount>
View signalswyckoff signal
View recommendationswyckoff recommend
Update CLIwyckoff update

For the full CLI reference, see rules/cli-setup-guide.md.

Input Protocol

Accept any combination of:

  • Stock symbol(s), single or multiple.
  • holdings: [symbol+cost+qty, ...].
  • cash: available cash amount.
  • candidate: optional non-holding symbol.
  • CSV file(s), image(s), text constraints/goals.

Infer scenario automatically:

  • holdings non-empty + candidate: rotation comparison + per-holding actions.
  • holdings non-empty + no candidate: per-holding add/reduce/hold/exit.
  • holdings empty + cash: empty-position cash deployment.
  • No portfolio fields: symbol analysis flow.

Do not require users to explicitly say "switch/add/reduce/empty-position."

Full Capability Orchestration (Steps 1–9, Required Order)

  1. Parse and normalize inputs.

    • Normalize symbols to exchange-qualified format when possible.
    • Parse holdings into {symbol, cost, qty}.
    • Preserve raw user inputs for output audit.

  2. Acquire current time via system/tool first.

    • Fetch current timestamp from tool/system.
    • Convert to Asia/Shanghai.
    • Print 当前北京时间:YYYY-MM-DD HH:MM(UTC+8).

  3. Decide trading availability with authoritative calendar checks.

    • Judge weekday and continuous-auction windows: 09:30-11:30, 13:00-15:00 (Beijing time).
    • Query authoritative trading calendar when holiday/adjusted-workday uncertainty exists.
    • If not tradable, downgrade to post-market review + next-session plan + T+1-safe order strategy.

  4. Fetch online data with source fallback.

    • Follow rules/source-fallbacks.md strictly for each symbol.
    • Perform schema and row-count validation before accepting a source.
    • Log fallback attempts and final source per symbol.

  5. Integrate CSV/image modalities when provided.

    • Use CSV as supplemental historical structure input and reconcile with fetched data.
    • Treat chart images as micro-structure evidence; explicitly acknowledge image reception.
    • Continue analysis if one modality fails and state exact failure cause.

  6. Run Wyckoff structural analysis first.

    • Analyze latest available window (target 500 trading days) with MA50/MA200.
    • Identify only evidenced phases/events (SC/ST/Spring/LPS/SOS/UTAD).
    • Use event-date news search only for validation context, never as primary trade logic.

  7. Produce portfolio decisions after structure analysis.

    • For each holding, output one explicit action: add / reduce / hold / exit.
    • If candidate exists, compare against structurally weakest current holding and decide switch / partial switch / hold.
    • If holdings are empty and cash exists, output staged cash deployment suggestion.

  8. Render plots only when session rules allow.

    • Skip plotting during tradable intraday windows.
    • When plotting is allowed, enforce all constraints in rules/alpha-system-prompt.md.

  9. Apply capability degrade policy.

    • Never fabricate OHLCV rows, event timestamps, or trading status.
    • If all sources fail for a symbol, mark data_unavailable and continue others.
    • If valid rows < 30, report insufficient structure depth and avoid hard phase labels.
    • If image parsing fails, explain reason and continue CSV/text/online path.

For detailed capability-routing policy, read rules/system-capability-playbook.md.

Fixed Output Contract

Always output in this order:

  1. 当前北京时间:YYYY-MM-DD HH:MM(UTC+8)
  2. Trading verdict: 当前是否可盘中交易:是/否 (with reason if no).
  3. Data audit table per symbol: symbol, source_used, rows_kept, window_end_date, fallback_count.
  4. Wyckoff analysis: current cycle background and phase (only evidenced), key events with rationale, action boundaries respecting T+1.
  5. Portfolio action section (portfolio flow only): holdings snapshot, per-holding actions, candidate comparison, cash suggestion, final summary in Wyckoff tone.
  6. Plotting section (only when allowed by session rules).

Hard Constraints

  • Do not change the fixed prompt wording unless explicitly requested.
  • Do not fabricate missing OHLCV rows.
  • Do not ignore image input if image is parseable.
  • Do not use opaque white text boxes in chart annotations.
  • If fetching data requires running Python scripts, run them only in a sandboxed environment.
  • Prefer direct web/API fetch first; use Python scripts only when needed for fallback, parsing, or normalization.

Resources

  • rules/alpha-system-prompt.md: fixed role and hard rules.
  • rules/source-fallbacks.md: online source switching policy.
  • rules/system-capability-playbook.md: full system capability routing and degrade policy.
  • rules/cli-setup-guide.md: CLI installation, registration, and command reference.

Comments

Loading comments...