ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta Backtester

v1.0.0

Professional backtesting framework for trading strategies. Tests SMA crossover, RSI, MACD, Bollinger Bands, and custom strategies on historical data. Generat...

0· 49·0 current·0 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md promises real backtesting (data loading from Yahoo/Tiger, computations with pandas/numpy, plotting, optimization). The shipped backtest.py (649 bytes) contains only an argparse parser and prints a fixed, hard-coded report — it does not import pandas/numpy/matplotlib, does not fetch data, and does no real computation. This is a clear mismatch between claimed purpose and actual capability.
!
Instruction Scope
Runtime instructions tell the user to run python3 backtest.py with strategy/ticker/year arguments and claim dependencies will be auto-installed. The instructions reference multiple data sources (Yahoo Finance, Tiger API) and CSV upload, but provide no guidance or code to obtain/validate data, no API key handling, and the included script does none of that. The SKILL.md is vague about how dependencies are installed, granting the agent or user broad discretion.
Install Mechanism
There is no install spec (instruction-only), which is low-risk from an installation perspective. However, the documentation claims 'pandas, numpy, matplotlib (auto-installed)' but no mechanism is provided to perform those installs. That inconsistency is informational but not an installation-borne code-execution risk.
Credentials
The skill requests no environment variables or credentials, which is appropriate. It references a 'Tiger API for professional data' but does not declare an API key requirement or use such credentials in code — this is inconsistent and could mislead users about what credentials would be needed if implemented.
Persistence & Privilege
always:false and no requested persistent system changes. The skill does not request elevated privileges or persistent presence; it is user-invocable only.
What to consider before installing
This skill appears to be a placeholder that prints canned backtest results rather than performing real analyses. Do not use its output for trading decisions. Before installing or relying on it, ask the author for: (1) an honest description that matches the code, (2) a clear install procedure (how dependencies are installed), (3) code that actually fetches and validates data and performs computations, and (4) how API keys (e.g., Tiger) would be handled. If you test it locally, run it in a sandbox and inspect network activity to ensure it doesn't fetch or transmit data unexpectedly.

Like a lobster shell, security has layers — review code before you run it.

backtestvk97bn8zb77n7808whwetchfgth83sjw0latestvk97bn8zb77n7808whwetchfgth83sjw0pythonvk97bn8zb77n7808whwetchfgth83sjw0quantitativevk97bn8zb77n7808whwetchfgth83sjw0tradingvk97bn8zb77n7808whwetchfgth83sjw0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3

Comments