backtesting
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary Python logic provided by the user through strategy files or JSON payloads. This is a primary feature for backtesting but allows the agent to run code within its execution environment.
- [EXTERNAL_DOWNLOADS]: The skill permits downloading datasets from remote URLs specified in the data source flags. This introduces a vector for processing potentially malicious external content.
- [CREDENTIALS_UNSAFE]: The skill utilizes an environment variable, $OPENCLAW_API_KEY, for authentication with the vendor's API at api.openclaw.ai. This is a standard implementation for the service provided by the author.
- [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Data is ingested from local files (e.g., historical.csv) and external URLs provided via command-line arguments.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands in the source data are documented.
- Capability inventory: The skill can execute Python scripts, make network requests via curl, and process structured JSON/YAML data.
- Sanitization: No specific validation or sanitization of external data content is described before it is processed by the strategy logic.
Audit Metadata