Trading DevBox
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for trading-strategy prototyping, but users should notice that it asks the agent to write and run a local Python/backtrader script without declaring those runtime dependencies.
This skill appears reasonable for a local trading-strategy sandbox. Before installing or using it, be aware that it may generate and run Python code locally, and make sure Python/backtrader dependencies come from trusted sources. Treat any trading output as a development aid rather than verified financial advice.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create and run a local Python script while carrying out the requested strategy-development task.
The skill instructs the agent to write a generated Python file and execute it locally. This is central to the backtesting-sandbox purpose and is scoped to /tmp, but users should be aware local code execution is involved.
mkdir -p /tmp/trading-devbox && cat > /tmp/trading-devbox/strategy.py ... python3 /tmp/trading-devbox/strategy.py
Review generated code before execution when possible, keep execution limited to temporary or sandboxed locations, and avoid putting secrets or unrelated local data into strategy inputs.
The skill may fail or behave differently depending on whether Python and backtrader are already installed in the user’s environment.
The workflow relies on python3 and the backtrader package, while the provided metadata declares no required binaries, environment variables, or install specification. This is an under-declared dependency rather than evidence of malicious behavior.
import backtrader as bt ... python3 /tmp/trading-devbox/strategy.py
Before use, verify the required Python runtime and packages are installed from trusted sources, and prefer adding explicit dependency declarations in the skill metadata.