Qc Backtest Master
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its QuantConnect backtesting purpose, but it can use local stored credentials, upload nearby data files, and overwrite or delete QuantConnect cloud assets.
Install only if you are comfortable giving the skill QuantConnect API access. Prefer a dedicated QC project, set credentials explicitly via environment variables, review any .json/.txt/.csv files next to the strategy before running, and understand that early-stop can permanently delete backtests.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use an existing local QuantConnect/Lean login token that the user did not intentionally provide for this skill.
The skill can obtain QuantConnect account credentials from local files, including ~/.lean/credentials, not only from the explicitly required environment variables.
Priority: environment variables > project .env file > ~/.lean/credentials file
Document and declare the credential file fallback, or require explicit user opt-in before reading ~/.lean/credentials or .env files.
Private notes, datasets, API configuration, or other local files in the strategy folder could be uploaded to QuantConnect unintentionally.
When a strategy is submitted, the code automatically reads and uploads every matching data file in the same directory, not just files the user explicitly selected.
valid_data_extensions = {'.json', '.txt', '.csv'}
for file in os.listdir(base_dir):
...
files_list.append({'name': file, 'content': content})Show the exact upload list and require confirmation, or add an explicit --include-file option and exclusion rules.
A mistaken project ID, strategy path, or drawdown threshold could replace cloud code or remove a backtest result.
The skill clearly discloses that it overwrites/deletes cloud project or backtest artifacts, which is purpose-aligned but high impact if pointed at the wrong project or threshold.
Local strategy files are uploaded as `main.py`. Old `Main.py` is auto-deleted... Early-stop **permanently deletes** the backtest — it cannot be recovered.
Use a dedicated QuantConnect project, back up important files, and review the early-stop threshold before running the full pipeline.