Skillv1.0.2

ClawScan security

Options Trading Backtester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 1:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Python options backtester whose requested resources and instructions align with its stated purpose; it does not request credentials or perform unexpected accesses.
Guidance: This skill is coherent with its description, but take these practical precautions before running it: 1) Review the SKILL.md code (it contains runnable Python) before executing it. 2) Install and run it in a sandbox or virtual environment (pip install pandas numpy scipy matplotlib; only add yfinance if you want live/historical data). 3) Be aware optional yfinance will fetch market data from the internet — expected but network-connected. 4) No credentials are required, so there is no obvious secret-exfiltration risk from the skill itself. 5) If you allow autonomous invocation, monitor the first few runs to ensure it behaves as you expect. 6) This tool provides simulations/estimates only — validate results before using for real trading and consider it not financial advice.

Purpose & Capability: okName/description (options backtester) match the provided instructions and example Python backtesting code. Declared dependencies (pandas/numpy/scipy/matplotlib, optional yfinance) are appropriate for the stated functionality.
Instruction Scope: okSKILL.md contains runnable backtester code and guidance for running backtests. The instructions do not direct reading unrelated files, accessing unrelated credentials, or transmitting data to unexpected endpoints. Note: optional yfinance usage implies fetching market data from the internet, which is expected for this purpose.
Install Mechanism: okThere is no install spec (instruction-only), so nothing is downloaded or written by the registry install process. Running the code locally will require installing standard Python packages, which is expected.
Credentials: okThe skill does not request environment variables, credentials, or config paths. The declared primary/required env fields are empty, which is proportionate for a backtester that may optionally fetch public market data.
Persistence & Privilege: okalways is false and the skill is user-invocable. disable-model-invocation is false (agent may invoke autonomously), which is platform-default; given the skill's limited scope and lack of credentials this is not an escalated privilege but you may want to monitor autonomous runs.