ClawHub
Back to skill
v0.1.0

Backtest Engine - Run Backtests

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

The tool mostly matches its backtesting purpose, but it includes a user-provided Python strategy loader that can execute local code and is not clearly disclosed in the main workflow.

GuidanceInstall only if you are comfortable running a local Python backtesting tool. Treat any custom Python strategy file as executable code, use a virtual environment, pin dependencies if possible, and remember that the tool does not appear to place real trades but its reports could still influence financial decisions.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
scripts/backtest_engine.py
def load_custom_strategy(strategy_file: str, strategy_fn: str) -> Callable:
    """Load a user-defined strategy function from an external file."""
    spec = importlib.util.spec_from_file_location("user_strategy", strategy_file)
    mod = importlib.util.module_from_spec(spec)
    spec.loader.exec_module(mod)

Importing a user-specified Python file with exec_module runs that file's top-level code. This is not clearly disclosed in the YAML-focused SKILL.md workflow and can execute arbitrary local code if an untrusted strategy file is used.

User impactA malicious or unreviewed strategy file could run commands, read files, or perform other actions under the user's local permissions.
RecommendationUse only trusted custom Python strategy files, inspect them before running, and prefer the built-in strategies or a non-executable strategy format when possible.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
README.md
pip install yfinance pandas numpy scipy

The setup instructions install public Python packages without version pins. This is purpose-aligned for a Python backtesting tool, but package provenance and version drift matter.

User impactFuture dependency versions or compromised packages could affect behavior or results.
RecommendationInstall in an isolated environment and consider pinning dependency versions before relying on results.