Quant Orchestrator (Free)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The quant/backtesting functionality is mostly coherent, but the “Free” skill includes an external paid billing path with a hard-coded API key that can charge a provided user ID.
Treat this as a paid or freemium skill, not purely free. If you install it, avoid the billing-enabled command unless you intend to be charged, review the SkillPay payment flow, and consider installing dependencies in an isolated environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the billing-enabled path is used with your user ID, your external billing balance may be debited or you may be directed to pay through SkillPay.
The skill embeds a billing service credential and can charge a SkillPay account for any supplied user_id. The registry declares no primary credential or required environment variables, and the code does not show a separate user confirmation before charging.
API_KEY = "sk_72df..."; requests.post(f"{BILLING_URL}/charge", json={"user_id": user_id, "skill_id": SKILL_ID, "amount": 1}, headers=HEADERS)Use only if you knowingly accept the paid billing flow. The publisher should remove the hard-coded key, declare the billing provider and permissions, and require explicit confirmation before each charge.
A user may install or invoke the skill expecting a free tool and only later encounter paid billing behavior.
The registry frames the skill as Free, while SKILL.md advertises pricing and billing.py performs charge operations. That mismatch can cause users to underestimate cost or account impact.
Name: Quant Orchestrator (Free); Slug: quant-orchestrator-free
The listing should clearly label the skill as paid or freemium, make the non-billing path the obvious default, and present pricing consistently before execution.
Installing the skill may fetch and execute third-party package code from PyPI, with versions that can change over time.
SKILL.md includes an install script for unpinned PyPI dependencies even though the registry install specifications say there is no install spec. These packages are purpose-aligned for a Python quant tool, but the dependency path is under-declared and not version-pinned.
install: - type: "script" run: "pip install lightgbm pandas numpy requests"
Review dependencies before installing. The publisher should declare the install step in registry metadata and pin package versions or provide a lockfile.
Your user identifier and billing action may be sent to SkillPay when the paid path is used.
The billing flow transmits a user_id and skill identifier to an external billing provider. This is expected for a paid billing integration, but users should notice the data boundary.
BILLING_URL = "https://skillpay.me/api/v1/billing"; json={"user_id": user_id, "skill_id": SKILL_ID, "amount": 1}Do not provide a user_id or follow payment links unless you trust the billing provider and intend to use the paid service.