Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Strategy Backtest
v1.0.0Quantitative strategy backtesting—implement, run, and tune trading rules on historical data; performance metrics (CAGR, max drawdown, Sharpe, win rate) and s...
⭐ 0· 236·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The README promises a backtest engine, performance analytics, and optimization (CAGR, Sharpe, drawdown, etc.). The provided script (scripts/strategy_backtest_tool.py) contains only a minimal CLI stub that records command invocations to data/strategy_backtest_data.json and returns generic success messages; it does not import or use backtrader, pandas, or any backtesting logic. Example command paths in SKILL.md (scripts/skills/strategy-backtest/...) do not match the actual script path, further indicating mismatch between claimed capabilities and delivered code.
Instruction Scope
SKILL.md instructs installing backtesting libraries and running commands that should execute real backtests. In practice the instructions point to a non-existent nested scripts path and the actual tool just appends records to a local JSON file. The instructions do not direct reading of unrelated system files or secrets, but they are vague/overbroad relative to what the code actually does (promises reports and metrics that the tool does not generate).
Install Mechanism
No install spec is provided (instruction-only). SKILL.md suggests pip-installing dependencies (pandas, numpy, backtrader, matplotlib) — this is normal for backtesting tooling but is a manual, local action. There are no downloaded archives or remote installers declared by the skill itself.
Credentials
The skill requests no environment variables, credentials, or external config paths. The included code only reads/writes a local data JSON file inside the repository's data directory and references some public documentation URLs. There are no requests for secrets or unrelated services.
Persistence & Privilege
always is false and the tool does not request elevated or persistent system privileges. It writes to a local data file relative to the script location (data/strategy_backtest_data.json). That is confined to the repository and is not an unusual privilege, but users should be aware the script will create/modify that file.
What to consider before installing
This skill is inconsistent: the description and SKILL.md promise a functioning backtest/optimization engine, but the shipped Python file is only a stub that logs commands to a local JSON file and returns canned success messages. Before installing or running: 1) Do not assume it performs real backtests — inspect or grep the code for actual strategy logic (indicators, trade generation, P&L calculations). 2) Note the SKILL.md example paths do not match the real script path; verify invocation paths. 3) If you expect full backtesting, either obtain a real implementation or replace the stub with trusted code. 4) Run any untrusted Python in a sandbox or VM and review what files it writes (the script writes data/strategy_backtest_data.json). 5) Don’t rely on this tool for investment decisions — it does not implement the analytics it advertises. Providing the maintainer/source or an updated implementation would change the assessment to benign if the code truly performed the claimed tasks and paths matched the documentation.Like a lobster shell, security has layers — review code before you run it.
latestvk979pakce6jkt7w6qwc2hygxrh83jx0z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.