ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Options Spread Conviction Engine

v2.2.1

Multi-regime options spread analysis engine with Kelly Criterion Position Sizing. Scores vertical spreads (bull put, bear call, bull call, bear put) and mult...

0· 1.9k·5 current·6 all-time
by@adamnaghs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, README, SKILL.md and included Python modules (options_math, leg_optimizer, quant_scanner, multi_leg_strategies, enhanced_kelly, etc.) are coherent with an options spread conviction engine. Required binary (python3) matches the stated purpose. However, SKILL.md and README also instruct installing an npm package (yahoo-finance2) and creating a sudo symlink (/usr/local/bin/yf) to a Homebrew binary — steps that are unusual for a Python-only analytic tool and are disproportionate unless the package explicitly needs that CLI. There are also metadata mismatches (registry lists no install spec but SKILL.md includes an install command; versions differ between registry (2.2.1) and SKILL.md (2.3.0)).
!
Instruction Scope
Runtime instructions ask to run an included scripts/setup-venv.sh (expected), but README/SKILL.md also recommend brew install jq, npm install yahoo-finance2 and a sudo ln -s into /usr/local — these actions require elevated privileges and modify system state outside the skill's directory. The SKILL.md embedded install metadata contains an install command invoking python3 on a shell script ('python3 scripts/setup-venv.sh'), which is incorrect and indicates sloppy packaging. The instructions otherwise reference expected data sources (Yahoo Finance) and internal files; they do not explicitly demand secrets or unrelated system files.
!
Install Mechanism
There is no registry-level install spec but SKILL.md includes an install step that runs the bundled setup-venv.sh, which is local and therefore reviewable (lower risk). The manual install examples recommend cloning a GitHub repo. However, recommending npm installation and creating a sudo symlink to /usr/local is high friction and risky: it alters system-wide binaries and requires root. The setup-venv.sh itself (not shown) should be inspected before running. No downloads from obscure external URLs were found in the provided manifest, which reduces supply-chain risk, but the mixed toolchain (brew/npm + Python) is unusual.
Credentials
The skill does not request environment variables, credentials, or config paths. Data access appears limited to public data sources (Yahoo Finance via yfinance or yahoo-finance2). Hard-coded account constraints in docs (e.g., $390 account) are surprising but not a secrets issue. No evidence of attempts to read unrelated system credentials or files.
Persistence & Privilege
The skill does not request always:true and does not declare elevated platform privileges. It does not modify other skills' configs in the provided files. The only potentially persistent/system-level change suggested is the optional sudo ln -s into /usr/local that would create a system-wide symlink — this is an install-time action recommended by the README, not an autonomously-running permission the skill demands.
Scan Findings in Context
[duplicate_kelly_implementations] expected: CODE_REVIEW_REPORT documents 3–4 different Kelly implementations across files. Code duplication is a maintenance/quality issue but within scope for a quantitative engine; not itself malicious.
[bare_except_silent_failures] unexpected: The review notes a mix of bare 'except:' clauses and silent failures. This is poor error handling and could mask unexpected behavior during runtime; it's a robustness/security concern to review before trusting automated trades.
[system_symlink_install_instruction] unexpected: README/SKILL.md recommend 'sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf'. Creating system-wide symlinks via sudo is unnecessary for a contained Python tool and introduces privilege-escalation risk if performed without review.
[install_metadata_command_mismatch] unexpected: SKILL.md metadata lists an install command 'python3 scripts/setup-venv.sh' that attempts to run a shell script with python. This is a packaging/documentation bug and suggests the package hasn't been carefully validated; it should be fixed or inspected.
[no_pre-scan_injection_signals] expected: Pre-scan injection signals were None — helpful but not definitive. The static report and codebase still contain quality and packaging issues that merit manual inspection.
What to consider before installing
This package appears to implement the options-analysis functionality it claims, but there are packaging and install inconsistencies that increase risk. Before installing or running it: - Inspect scripts/setup-venv.sh and any install scripts in the repo line-by-line; do not run them until you verify they only create a virtualenv and pip-install known packages. - Ignore or do not run the 'sudo ln -s /usr/local/bin/...' step unless you understand why a system-wide CLI is needed; avoid running sudo for third-party code unless absolutely necessary. - The README suggests installing an npm package (yahoo-finance2) — confirm whether the Python code actually needs that JS package; if not, skip it. - Because the repo has documented 'bare except' patterns and duplicated critical logic (Kelly implementations), consider running the test suite (tests/run_tests.py) in an isolated environment (container or VM) to verify behavior before trusting outputs for live trading. - Prefer running the engine in an isolated environment (VM, container) with limited network and no access to production trading accounts. If you plan to connect to a broker/API later, supply credentials only at that stage and after code audit. If you want, I can: - Summarize the contents of scripts/setup-venv.sh (if you provide it) and flag any dangerous commands; or - Highlight exact files/lines where bare excepts or subprocess/shell invocations occur so you can inspect them more easily.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vgvt2kzmz4hvxyp7z57a2d8153nc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3

Comments