ClawHub

BacktestBot

v0.0.2

Backtest trading strategies against historical market data with performance analytics and risk metrics

0· 437·1 current·1 all-time
byCollier King@collierking
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (backtesting + analytics) align with requesting an API key to a backtest service. Asking for a BACKTESTBOT_API_KEY is proportionate to that purpose. However, the registry entry lists no source, homepage, or implementation details, which means you cannot verify where your API key will be sent or how data will be handled.
!
Instruction Scope
SKILL.md describes backtesting capabilities and references an optional BACKTESTBOT_DATA_DIR for caching, but it does not specify endpoints, request formats, or where network requests are sent. The SKILL.md documents BACKTESTBOT_DATA_DIR as an optional variable but that variable is not listed in the declared requires.env block—this mismatch is a minor inconsistency. Because the instructions lack explicit trustable endpoints or telemetry/privacy statements, it's unclear what data (strategy definitions, historical data, or results) will be transmitted off-host.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk or downloaded during install. That lowers the attack surface relative to skills that fetch external binaries.
Credentials
Only a single required credential (BACKTESTBOT_API_KEY) is declared, which is proportionate for an external backtesting API. The optional BACKTESTBOT_DATA_DIR is mentioned but not declared in requires.env. There are no unrelated or extra credentials requested, but because the API key will be used to authenticate network calls to an unverified service, you should treat it as sensitive and only provide a key with limited scope.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It does not declare any system-wide configuration changes or elevated persistence. Autonomous invocation is allowed by default but is not combined here with other high-risk flags.
What to consider before installing
This skill appears to do what it says (backtesting), but the package provides no source code, homepage, or endpoint documentation — so you cannot verify where your BACKTESTBOT_API_KEY or any strategy/data will be sent. Before installing or setting BACKTESTBOT_API_KEY: (1) prefer to obtain the key from a known/trustworthy provider and confirm the service's endpoint and privacy policy, (2) create a scoped or revocable API key with least privilege, (3) avoid using production accounts or real brokerage credentials for testing, (4) if you set BACKTESTBOT_DATA_DIR, point it to a controlled directory and confirm what is cached, and (5) be prepared to revoke the API key if you notice unexpected activity. If the publisher can supply a homepage, API docs, or contact info, re-evaluate once those are available.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760hrk7bd4k15pg3433rg9z981m0f4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvBACKTESTBOT_API_KEY
Primary envBACKTESTBOT_API_KEY

Comments