ClawHub

Backtesting Trading Strategies

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent, user-directed backtesting tool that fetches market data, runs local Python analysis, and saves local reports.

Before installing, expect to run local Python scripts, install third-party Python packages, fetch data from public market-data providers, and create local data/report files. Use a virtual environment and a dedicated working directory. The artifacts do not show live trading authority or credential use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent can run the included Python scripts and create or modify local files while using the skill.

Why it was flagged

The skill is permitted to run Python commands and perform file operations; this is purpose-aligned for a local backtesting framework, but it is still meaningful local execution authority.

Skill content
allowed-tools: Read, Write, Edit, Grep, Glob, Bash(python:*)
Recommendation

Use the skill in a dedicated project directory, review generated commands before execution, and avoid granting it access to unrelated workspaces.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the prerequisites pulls external package code into the user's Python environment.

Why it was flagged

The setup instructions install third-party Python packages without pinned versions or a lockfile; this is expected for the tool but creates normal dependency-provenance considerations.

Skill content
pip install pandas numpy yfinance matplotlib
Recommendation

Install dependencies in a virtual environment, pin versions if reproducibility matters, and use trusted package sources.

#
ASI07: Insecure Inter-Agent Communication
Info
What this means

Yahoo Finance/yfinance or CoinGecko may receive the asset symbols and date ranges the user asks to analyze.

Why it was flagged

The scripts send the requested symbol/date parameters to external market-data providers, which is disclosed and central to the backtesting purpose.

Skill content
ticker = yf.Ticker(symbol) ... df = ticker.history(start=start, end=end, interval=interval) ... response = requests.get(url, params=params)
Recommendation

Only request symbols and ranges you are comfortable sharing with those public data providers, and review provider terms if needed.