ClawHub

rqalpha

Security checks across malware telemetry and agentic risk

Overview

This is a coherent RQAlpha backtesting helper, with trading-adjacent examples that users should keep limited to simulation unless they deliberately configure live brokerage integrations.

Install in a virtual environment, verify the upstream RQAlpha package, and treat all examples as backtesting or simulation by default. Do not connect broker gateways, live-trading mods, or brokerage credentials unless you intentionally opt in, understand the real-money risk, and require explicit confirmation before any order-capable action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The AI-agent guidance expands the skill beyond local backtesting into generic multi-source analysis, monitoring loops, and alerting workflows. That broader operational framing can cause an agent to combine this skill with external tools or continuous execution patterns that were not scoped, reviewed, or safety-constrained here, increasing the risk of unintended data access, autonomous monitoring, or action chaining.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill mentions live-trading integration via rqalpha-mod-vnpy without a clear warning that this can connect to broker infrastructure and potentially affect real-money accounts. In an agent context, normalizing live-trading capability without prominent safeguards can lead users or downstream agents to treat execution-capable workflows as low-risk research tasks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal