by 安全扫描
OpenClaw
安全
medium confidence该技能的指令与交易部署工作流一致,且为纯指令型(无需安装或请求密钥),但存在轻微的出处/元数据不一致,且未明确说明如何提供 broker/connector 凭证——使用前请复核。
评估建议
This instruction-only skill appears to implement a reasonable, safety-minded trading deployment workflow. Before installing: (1) verify the skill's provenance given inconsistent metadata (registry owner vs _meta.json/author); (2) test thoroughly in an isolated/simulated environment (paper mode) to confirm the agent's actual connectors and order-handling behave as intended; (3) ensure broker/API credentials are supplied and stored securely by your agent platform (the skill itself doesn't declare ...详细分析 ▾
ℹ 用途与能力
The name, description, and runtime instructions consistently describe a strategy deployment lifecycle (validate → risk-check → paper → monitor → guarded live promote). However, metadata shows inconsistent provenance: registry ownerId (kn74114...) differs from _meta.json ownerId (redhat-agent-001) and SKILL.md author (RedHat Dev). That mismatch doesn't prove maliciousness but is a provenance red flag to verify.
✓ 指令范围
SKILL.md stays within the declared purpose: it specifies inputs, explicit risk checks, monitoring, and approval gating for live promotion. It does not instruct the agent to read arbitrary system files, exfiltrate data, or call unexpected endpoints. The content is high-level (no exchange API calls), so the actual side effects depend on how the agent implements deployments.
✓ 安装机制
Instruction-only skill with no install spec and no code files; nothing is written to disk or fetched during install. This is the lowest-risk install model.
ℹ 凭证需求
The skill requests no environment variables or credentials, which matches the fact it provides only high-level instructions. However, real paper/live deployments will require broker/exchange credentials and API keys; those are not declared here. Before using the skill in a real environment, confirm how the agent will obtain and protect necessary secrets and ensure the skill cannot be induced to promote live trading without explicit human-controlled credentials and approval.
✓ 持久化与权限
always is false and the skill does not request persistent system-wide settings or modify other skills. Autonomous invocation is allowed by platform default; on its own that is not a disqualifier, but you should ensure policies prevent automated live promotions without human approval.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/24
strategy-deployer 技能首次发布。 - 支持带风险闸门与明确生命周期的策略安全部署。 - 提供纸面与受保护实盘模式,实盘需显式审批。 - 各阶段强制执行严格风控、验证与监控。 - 输出详细部署状态、审计事件及风险合规报告。 - 内置安全规则,阻止高风险或未经授权的实盘交易。
● 无害
安装命令
点击复制官方npx clawhub@latest install axodus-strategy-deployer
镜像加速npx clawhub@latest install axodus-strategy-deployer --registry https://cn.longxiaskill.com
技能文档
目的
通过显式生命周期安全部署交易策略:验证 → 风险检查 → 纸面部署 → 监控 →(受控)实盘上线的流程。使用时机
- 策略回测完成
- 从研究阶段进入纸面交易
- 将纸面验证策略受控推进到实盘
输入
strategy_spec(必填,object|string):规则、信号、市场、时间框架mode(可选,enum:paper|live,默认paper)risk_limits(必填,object):每笔最大风险、最大回撤、敞口上限validation_artifacts(可选,object):回测报告、纸面绩效统计approval(可选,string):用户/Morpheus 对live的显式审批引用
步骤
- 验证前置条件:
- 执行风险检查:
- 默认纸面部署:
- 监控并记录:
- 仅当以下全部满足时上线:
mode=live
- 存在显式审批
- 预检通过
- 定义回滚/停止规则并在触发时执行
验证
- 纸面模式生成完整日志与成交记录
- 无审批+标记时禁止实盘
- 每次下单前强制执行风险约束
- 测试停止条件(kill-switch 有效)
输出
``yaml
deployment: "paper|live"
strategy: ""
markets: ["..."]
risk_limits: { "...": "..." }
status: "deployed|blocked|stopped"
audit_events: ["signal_detected", "risk_check_passed", "order_submitted", "order_filled", "trade_recorded"]
` 安全规则
- 禁止为“抓住机会”绕过风险检查
- 未经显式审批与纸面验证不得实盘部署
- 不暗示收益确定性;仅报告历史/条件性表现
示例
纸面部署:
strategy_spec:“区间均值回归,5m 时间框架。”mode:paper`- 输出:部署报告 + 监控清单 + 停止触发器