ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Backtest Engine - Run Backtests

v0.1.0

Programmatic backtesting framework for trading strategies. Runs backtests with historical price data (yfinance or CSV), supports momentum/mean-reversion/fact...

0· 114·0 current·0 all-time
byRunByDaVinci@clawdiri-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a programmatic backtest engine and the included Python scripts implement data loading (yfinance/CSV), built-in strategies, signal generation, transaction-cost models, walk-forward capabilities, regime detection, and metric calculation. The declared requirements (no env vars, no binaries) match the contents: it needs Python and standard data science libs (pandas/numpy/yfinance) which are documented in README.
Instruction Scope
SKILL.md and README describe running a CLI and passing a strategy definition or CSV. The runtime instructions and code operate strictly within backtesting scope (price data, strategy logic, metrics). Two items to note: (1) SKILL.md references a 'backtest-engine' CLI while the bundle provides scripts/backtest_engine.py — the script provides a CLI but there is no explicit wrapper named 'backtest-engine' included. (2) The engine supports loading custom strategy code via dynamic import (load_custom_strategy) which will execute arbitrary Python from user-supplied files; this is expected for extensibility but means untrusted strategy files can run arbitrary code on the host. SKILL.md does not explicitly warn about executing custom strategy code.
Install Mechanism
There is no install spec — this is an instruction + script bundle. That minimizes install-time risk. Dependencies are standard Python packages (yfinance, pandas, numpy, scipy) declared in README; no external downloads or obscure install URLs are used.
Credentials
The skill requests no environment variables or credentials, and its runtime behavior (network access to Yahoo via yfinance and reading a user-specified CSV path) is proportionate to its purpose. There are no unexpected credential requests. Note: it does use internet access for yfinance and may attempt to fetch SPY separately for regime detection if not present.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide settings. It runs as a standalone script; no elevated privileges or persistent installation are requested.
Assessment
This package appears to do what it says: run backtests against historical prices. Before using: (1) Be cautious when supplying or running custom strategy files — the engine dynamically imports and executes user-provided Python, so do not run strategies from untrusted sources. (2) Ensure you run it in a controlled environment with required Python deps installed (pandas, numpy, yfinance, etc.). (3) The engine will read CSVs from any path you provide and will fetch data from the Internet via yfinance — avoid passing sensitive file paths or secrets. (4) Note the small mismatch: SKILL.md mentions a 'backtest-engine' CLI while the repo provides scripts/backtest_engine.py; you may run the script directly (python3 scripts/backtest_engine.py). (5) Validate cost models, regime assumptions, and sample sizes before drawing conclusions from any backtest outputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xptx47wyb4macc4g7xrj6583c23r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments