ClawHub
Back to skill
v1.0.0

Quant Full Stack

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:32 AM.

Analysis

This skill is a coherent quant-trading workflow wrapper, but it runs local scripts from a separate ~/quant_trading project that users should verify before use.

GuidanceThis appears to be a normal wrapper for an existing local quantitative trading project. Before installing or invoking it, confirm that ~/quant_trading, its virtual environment, and the six mapped task scripts are from a source you trust, especially because the reviewed package does not include those implementation files.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
runner.py
PROJECT_DIR = os.path.join(HOME_DIR, "quant_trading") ... script_mapping = { "01_data_system": "data_system.py", ... }

The skill’s main runner depends on task scripts and a project directory outside the packaged artifacts, so the reviewed package does not contain the code that performs the actual quant workflow.

User impactIf the local ~/quant_trading project or virtual environment contains unsafe or unexpected code, invoking this skill will run that code.
RecommendationBefore using the skill, inspect and trust the ~/quant_trading project, its virtual environment, and all mapped task scripts; package or document those dependencies clearly.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
runner.py
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120, cwd=PROJECT_DIR)

The skill executes local Python scripts through subprocess. This is purpose-aligned for a workflow runner and uses a fixed command list with a timeout, but it is still code execution under the user account.

User impactRunning a task can execute local project code and may read or modify files depending on what those external scripts do.
RecommendationRun only trusted local quant scripts, review command arguments before use, and avoid connecting this wrapper to untrusted project directories.