alpha-vault
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The setup script scripts/build_ref.py is designed to crawl the parent repository structure up to three levels above the skill directory (Path(file).resolve().parents[3]). It performs recursive filesystem operations and copies files into the skill's local storage.
- [COMMAND_EXECUTION]: The implementation script ref/B-因子构建类/基于隔夜与日间的网络关系因子/source/loade_factor-4bb4349b.py uses sys.path.insert to add an absolute local path (/data1/hugo/workspace/qlib_ddb) to the Python search path, which could lead to arbitrary module loading depending on the local environment.
- [EXTERNAL_DOWNLOADS]: The skill makes external network requests to non-whitelisted domains for financial data. For example, ref/C-择时类/C-VIX中国版VIX编制手册/source/get_shibor-13d19ae9.py fetches data from cdn.jin10.com.
- [EXTERNAL_DOWNLOADS]: Multiple documentation files (e.g., ref/B-因子构建类/个股动量效应的识别及球队硬币因子/source/README-084852ab.md, ref/B-因子构建类/筹码因子/source/README-2e8fd098.md) provide links to Baidu Pan and Google Drive for the acquisition of required datasets. These are external, unverifiable binary sources.
- [CREDENTIALS_UNSAFE]: Several files contain placeholders or instructions for database connection strings and API tokens (e.g., MySQL connection strings in ref/B-因子构建类/个股动量效应的识别及球队硬币因子/source/README-084852ab.md and Tushare tokens in ref/D-组合优化/MLT_TSMOM/source/config-50ed4012.py).
Audit Metadata