critical
suspicious.dynamic_code_execution
- Location
- scripts/signal_types.py:92
- Finding
- Dynamic code execution detected.
TradingView Screener
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A custom signal file can influence the screening logic that the skill evaluates.
Why it was flagged
Custom signal expressions from YAML are dynamically evaluated with pandas after validation. This is an expected feature for computed trading signals, but untrusted or malformed YAML can affect what calculations are run.
Skill content
validate_expression(expr)
# Resolve field names in expression to actual DataFrame column names
resolved_expr = _resolve_expr_columns(df, expr)
try:
mask = df.eval(resolved_expr)Recommendation
Use signal YAML files you trust, review any expr fields before running them, and keep the expression whitelist restrictions in place.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Installing the skill may download newer dependency code from the Python package ecosystem.
Why it was flagged
The documented install flow installs dependencies using range constraints rather than pinned or locked versions, so future installs may fetch package versions not reflected in the reviewed artifacts.
Skill content
tvscreener>=0.2.0 pandas>=2.0.0 pyyaml>=6.0 pytest>=7.0.0
Recommendation
Review install.sh and requirements.txt before setup; consider pinning exact package versions if reproducibility is important.