Stock Strategy Backtester
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: stock-strategy-backtester Version: 1.0.4 The `scripts/backtest_strategy.py` script takes a `--csv` argument, which is a file path. While the script's intended purpose is to read OHLCV data, an AI agent could potentially be prompted to supply a path to an arbitrary, sensitive CSV-formatted file on the system. The script would then read and process this file, and its contents (transformed into backtest metrics) would be included in the JSON output to stdout. This constitutes a data disclosure vulnerability, as an attacker could potentially trick the agent into revealing sensitive local file contents. However, the script itself does not exfiltrate data to external endpoints, install backdoors, or execute arbitrary commands, indicating a vulnerability rather than intentional malice.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may execute the bundled script and read the CSV file path provided for analysis.
The skill directs the user or agent to run a bundled local Python script against a selected CSV file. This is expected for a backtesting tool, but it is still local code execution.
python scripts/backtest_strategy.py \ --csv /path/to/prices.csv
Use it only with OHLCV CSV files you intend to analyze, and review the bundled script if you do not trust the package source.
Users have less publisher/provenance context than they would for a package with a verified repository or homepage.
The registry metadata does not provide an external source or homepage for independent provenance checking.
Source: unknown Homepage: none
Install only if you trust the registry entry and are comfortable with the bundled files.