Nautilus Trader
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent NautilusTrader guide, but it directs broad remote/system setup and includes production live-trading flows that warrant review before use.
Install only after reviewing and approving each command. Avoid automatic curl-to-shell setup, prefer pinned releases, and use sandbox or testnet trading before any production run. If using live trading, provide only least-privilege API keys with withdrawals disabled and do not allow the agent to run a live trading node unattended.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed automatically, the agent could execute downloaded code and make system-level changes on the user's machine.
The skill instructs the agent to run remote installer scripts and a privileged system package install as part of its prerequisite flow if the environment is missing, without an explicit approval step.
Before doing any work, you MUST verify the environment is ready... curl https://sh.rustup.rs -sSf | sh -s -- -y ... sudo apt-get install -y clang ... curl -LsSf https://astral.sh/uv/install.sh | sh
Require explicit user confirmation before any install, avoid curl-piped shell scripts when possible, pin versions, and document exactly what will be changed.
The installed code or dependencies may change over time, so results and security properties can differ from what was reviewed.
The setup uses external repositories and package indexes without pinned versions, tags, hashes, or a lockfile in the artifact. This is common for setup documentation, but it matters if an agent executes it.
git clone https://github.com/nautechsystems/nautilus_trader.git ... uv pip install nautilus_trader ... uv sync --all-extras
Prefer a known release tag, pinned package versions, and reviewed lockfiles before installing or building.
Improperly scoped keys could allow real trades or other account actions if the generated trading code is run.
Live trading requires exchange API keys or private keys. This is expected for the stated purpose and is disclosed, but these credentials can authorize real account actions.
Required credentials ... BINANCE_API_KEY, BINANCE_API_SECRET ... dYdX ... Mnemonic or private key ... export BINANCE_API_KEY="your_key"
Use testnet or paper accounts first, create least-privilege API keys, disable withdrawals, limit funds, and never paste secrets into chat unless necessary and safe.
Running production examples with real credentials can cause real financial gains or losses.
The live-trading example intentionally uses a production execution client. That is aligned with the skill's purpose, but it can place real orders when paired with credentials and a strategy.
Complete live trading example (Binance Spot) ... testnet=False, # PRODUCTION ... node.run()
Do not let an agent run production trading automatically; require explicit confirmation, use sandbox/testnet first, and start with small position sizes.