Back to skill
Skillv1.1.0
ClawScan security
LEAN Engine — Algorithmic Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (running QuantConnect LEAN backtests); required binaries, env vars, and helper scripts match the described workflow and there are no obvious attempts to exfiltrate secrets or perform unrelated actions.
- Guidance
- This skill appears to do what it says: build/run LEAN backtests and manage data. Before using it: (1) set LEAN_ROOT and DOTNET_ROOT to a repository you control (do not point to any sensitive system path), (2) inspect your Launcher/config.json for live brokerage credentials — consider removing or backing them up if you only want to backtest, (3) run the scripts in a non-production environment first so you can confirm behavior (they will temporarily overwrite config.json in the Launcher folder but restore it), and (4) only run the dotnet install script from the official Microsoft URL (the skill suggests the official source). If you need higher assurance, review the three included scripts (configure_algo.py, download_us_universe.py, run_backtest.sh) locally before invoking the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description (LEAN backtests, data management, IB deployment) aligns with the included files and required items: dotnet and Python are required, and LEAN_ROOT/DOTNET_ROOT/PYTHONNET_PYDLL make sense for running LEAN. Scripts perform backtest config manipulation, data download, and launching the LEAN launcher — all expected for this functionality.
- Instruction Scope
- noteSKILL.md and the scripts operate on the LEAN repository paths (config.json, Data/, Algorithm.Python/) and instruct network calls only to expected sources (git clone GitHub, yfinance for market data, dotnet install from Microsoft). One minor inconsistency: SKILL.md and run_backtest.sh claim the original config is "NEVER modified," but the script temporarily overwrites the Launcher config.json (it does make a backup and restores it on exit). No instructions read unrelated system files or external endpoints beyond expected package/data sources.
- Install Mechanism
- okThere is no packaged install; the skill is instruction-first and suggests installing .NET via the official dot.net install script and cloning QuantConnect/Lean from GitHub. The dotnet install URL is an official Microsoft domain. No opaque downloads, shorteners, or arbitrary code-hosted archives are used.
- Credentials
- noteThe required environment variables (LEAN_ROOT, DOTNET_ROOT, PYTHONNET_PYDLL) are proportionate to running LEAN. The skill does not request unrelated secrets. Caution: the Launcher config.json (which the scripts temporarily replace) commonly contains brokerage credentials for live trading (Interactive Brokers). While the script sets environment to backtesting and backs up/restores the original config, users should verify their config.json does not contain sensitive live credentials they don't want loaded or exposed during runs.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges. It is user-invocable and does not set always: true. The scripts write files inside the LEAN repo (Data/, Results/) which is expected; they create temporary config copies and restore the original on exit.