Skillv1.0.1

ClawScan security

Stock Strategy Backtester Clean · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewFeb 28, 2026, 10:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and required resources align with a local CSV-based backtester, but the included Python script appears truncated/buggy and may fail at runtime — this is likely sloppy engineering rather than malicious, but you should inspect and test before trusting results.
Guidance: This skill appears to do what it says (local CSV backtests) and requests no secrets, but the included Python file is truncated and contains an apparent typo that will likely cause runtime errors or incomplete output. Before using it on important data: (1) open and review the complete scripts/backtest_strategy.py file locally and fix obvious bugs (e.g., 'gros' -> 'gross' or correct variable name) and ensure the final output routine exists; (2) run the script in an isolated environment with small test CSVs to validate outputs and JSON contract; (3) do not supply any credentials or sensitive files; (4) if you rely on results for decisions, independently verify metrics with another trusted tool. If you want, I can (a) point out the exact lines that need fixing if you paste the full script, or (b) provide a small test CSV and expected output to validate behavior.

Purpose & Capability: okName, description, SKILL.md, and the included Python script consistently implement a local, long-only backtester for OHLCV CSV files. No network calls, external services, or unrelated credentials are requested.
Instruction Scope: concernInstructions only tell the agent to run the bundled script against local CSVs, which is appropriate. However the provided script is truncated in the manifest and contains at least one obvious typo (e.g., 'proceeds = gros' / 'gros' undefined) and truncation near the finalization of in-position handling and output. That creates a risk the script will crash or produce incomplete/misleading output; SKILL.md mentions exporting artifacts and JSON output but it's unclear whether those are fully implemented.
Install Mechanism: okInstruction-only skill with a bundled Python script; no install steps, no downloads, and no package manager usage. Risk from install mechanism is low.
Credentials: okNo environment variables, credentials, or config paths are requested. The script only requires a local CSV path and uses standard library modules.
Persistence & Privilege: okSkill is not forced-always, does not request persistent system privileges, and does not modify other skills or system configuration in the manifest.