ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Backtester

v1.0.0

Professional backtesting framework for trading strategies. Tests SMA crossover, RSI, MACD, Bollinger Bands, and custom strategies on historical data. Generat...

0· 120·2 current·2 all-time
by@1477009639zw-blip·duplicate of @1477009639zw-blip/betabacktestr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md advertises a professional backtesting framework (OHLCV ingestion, multiple indicators, optimization, plotting, Yahoo/Tiger data). The only shipped code (backtest.py) prints a fixed, hard-coded backtest summary and implements none of those features. This is a large mismatch between claimed capability and actual implementation.
!
Instruction Scope
Runtime instructions are simply to run python3 backtest.py. The doc references CSV uploads, Yahoo Finance, and a Tiger API, but provides no concrete instructions for fetching data, supplying API keys, or where/how to upload CSVs. The SKILL.md also says dependencies are "auto-installed" but provides no install mechanism or commands. The instructions are therefore incomplete and ambiguous relative to the stated functionality.
!
Install Mechanism
There is no install spec (instruction-only), yet SKILL.md claims that pandas, numpy, matplotlib will be auto-installed. No mechanism (pip, requirements file, or package manager) is provided. The included script doesn't import any of those libraries, further highlighting inconsistency.
!
Credentials
The skill declares no required environment variables or credentials, but the documentation references using the Tiger API for professional data (which would normally require API keys). This lack of declared credentials or guidance for secure credential usage is inconsistent with the documented external data options. On the positive side, there are no unexpected env vars requested.
Persistence & Privilege
The skill does not request always-on presence and does not declare any privileged persistence. default agent invocation is allowed (normal). No files, config paths, or system-level changes are requested.
What to consider before installing
This package is inconsistent: the README promises a full-featured backtester and automatic dependency installs, but the only code is a harmless stub that prints canned results. Before installing or using it: (1) don't trust its printed results for trading — they are not computed, they're hard-coded; (2) ask the author for the real implementation, an install mechanism (requirements.txt or pip command), and clear instructions for supplying data/API keys; (3) inspect any future code that performs network I/O or installs packages to verify endpoints and package sources; (4) if you need a real backtester, prefer well-known libraries or open-source projects with full source and reproducible installs. If you want to proceed cautiously, run the script offline in a sandbox to confirm behavior and avoid giving any credentials until a proper implementation is provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk97awvtgamp53kmx0z97jw4efx83vvny

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3

Comments