ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Backtester

v1.0.0

Professional backtesting framework for trading strategies. Tests SMA crossover, RSI, MACD, Bollinger Bands, and custom strategies on historical data. Generat...

0· 22·0 current·0 all-time
by@cry779
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match a Python backtester and required binary (python3) is appropriate. However, SKILL.md advertises multiple data sources (Yahoo Finance, Tiger API, CSV upload) and auto-install of pandas/numpy/matplotlib, while the included backtest.py only reads a local SQLite DB and uses pandas/numpy (no network or plotting). The advertised capabilities exceed the actual code.
!
Instruction Scope
SKILL.md instructs the user that the tool can use remote APIs and CSV upload and implies plotting output, but the runtime file only loads data from a specific local DB path (~/.openclaw/workspace/trading/a_stock_complete.db) and prints results. The prose gives the agent broad expectations (external APIs, fallback sources) that are not implemented in backtest.py, which is an inconsistency an operator should be aware of.
Install Mechanism
There is no install spec (instruction-only), which is low risk. SKILL.md claims pandas/numpy/matplotlib will be auto-installed but no install step is provided; the skill relies on runtime environment having these Python packages. This is a usability/consistency issue rather than an active install risk.
Credentials
The code accesses a single, clearly documented file path in the user's home directory for a local SQLite DB. No environment variables or network credentials are requested. File access is consistent with the stated local-database use, though users should confirm the DB path before running.
Persistence & Privilege
The skill does not request persistent privileges; always:false and no special system-wide modifications are present. The script only reads a local DB and prints output.
Scan Findings in Context
[pre_scan_injection_signals_none] expected: Static pre-scan reported no injection or suspicious regex findings. That aligns with the code being a small, local backtester (no network calls or obfuscated code). Absence of findings does not negate the documentation/code mismatches noted above.
What to consider before installing
This package is a small Python backtester that reads a local SQLite database at ~/.openclaw/workspace/trading/a_stock_complete.db and prints results. Before installing/using it: (1) Verify you have Python and required packages (pandas, numpy) in the environment — the skill has no install step. (2) Confirm the referenced DB path and contents; running the script will access that file path and will print errors if missing. (3) Don’t assume remote data sources or auto-install behavior described in SKILL.md — the included code does not call Yahoo Finance, Tiger API, or perform downloads. (4) If you need the advertised features (API or CSV ingestion), request the author/source code for those implementations or run the script in a sandbox until you confirm behavior. If you will run this on sensitive systems, inspect or run the backtest.py in an isolated environment first and ensure no unexpected network or file access occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ex8n6djjk7r9d5213htp07d845jbz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3

Comments