Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Backtest Poller
v1.0.0Background daemon that monitors QuantConnect backtests with adaptive polling, real-time equity tracking, drawdown early-stop, auto-download, and auto-diagnos...
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (monitor QuantConnect backtests) matches required env vars (QC_USER_ID, QC_API_TOKEN, QC_PROJECT_ID), required binary (python3), and the code which calls QuantConnect endpoints (read, delete, read orders). The ability to delete backtests and download results is coherent with the stated early-stop and auto-download features.
Instruction Scope
SKILL.md and the CLI/poller code stay within the declared scope: they read/write state.json, poll QC API, optionally delete backtests, download results into results/, run a local diagnosis call, and emit macOS notifications. There are no instructions to read unrelated system files or to send data to third-party endpoints beyond quantconnect.com.
Install Mechanism
No automated install spec is provided (skill is instruction/file-based). Source includes Python scripts and requirements.txt (requests, python-dotenv) which the user must install manually. This is not inherently risky, but users should note dependencies must be installed in their environment before use.
Credentials
Only QuantConnect credentials and optional path env vars (STATE_FILE, LOG_FILE, RESULTS_DIR) are required. The primary credential is QC_API_TOKEN which is appropriate for an API client. The requested env vars are proportional to the functionality; no unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It runs as a local background process (nohup) and persists state to state.json and results/ under the working directory or locations set via env vars. This behaviour matches the described daemon nature.
Assessment
This skill appears to do what it says: it will run a local Python daemon that polls QuantConnect, may permanently delete backtests (early-stop), and will store state and downloaded results under state.json, poller.log, and results/. Before installing: 1) Only provide QC_USER_ID, QC_API_TOKEN, and QC_PROJECT_ID if you trust the code—these are live API credentials and the token can be used to delete backtests. 2) Consider creating or using a token with the minimum needed privileges, or test in a throwaway project first. 3) Install dependencies in a virtual environment (pip install -r requirements.txt) to avoid contaminating system Python. 4) Note the default data paths live in the skill directory but can be overridden with STATE_FILE/LOG_FILE/RESULTS_DIR env vars — set them to locations you control. 5) To stop the daemon, use the provided CLI stop-poller command or kill the PID recorded in state.json. If you want additional assurance, review the included code files yourself or run in an isolated environment (container/VM).Like a lobster shell, security has layers — review code before you run it.
latestvk971ya50a07eaem2b3bn3p94es832gqp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👀 Clawdis
OSmacOS · Linux
Binspython3
EnvQC_USER_ID, QC_API_TOKEN, QC_PROJECT_ID
Primary envQC_API_TOKEN