registry  /  @backtest-kit/cli  /  15.3.0

@backtest-kit/cli@15.3.0

Zero-boilerplate CLI runner for backtest-kit strategies. Run backtests, paper trading, and live bots with candle cache warming, web dashboard, and Telegram notifications — no setup code required.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package executes user-selected trading strategies and can scaffold a project only when explicitly invoked with CLI flags.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI modes such as --init, --docker, trading, Telegram, or user strategy/config loading.
Impact
Expected CLI behavior; no unconsented install-time execution or credential exfiltration found.
Mechanism
User-invoked project scaffolding, strategy-module loading, and trading integrations.
Rationale
Static hints arise from intended CLI capabilities: explicit project scaffolding runs npm install, and selected strategy/config files are dynamically loaded. Source inspection found no lifecycle hook, stealth execution, exfiltration, persistence, or foreign AI-agent control-surface mutation.
Evidence
package.jsonbuild/index.mjsbuild/index.cjstemplate/project/scripts/fetch_docs.mjstemplate/project/package.mustachedocker/package.jsontemplate/project/config/symbol.config.ts
Network endpoints4
raw.githubusercontent.com/tripolskypetr/backtest-kit/refs/heads/master/README.mdraw.githubusercontent.com/tripolskypetr/backtest-kit/refs/heads/master/packages/graph/README.mdraw.githubusercontent.com/tripolskypetr/backtest-kit/refs/heads/master/packages/pinets/README.mdraw.githubusercontent.com/tripolskypetr/backtest-kit/refs/heads/master/packages/ollama/README.md

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
    • build/index.mjs gates scaffolding and npm install behind explicit --init or --docker CLI flags.
    • template/project/scripts/fetch_docs.mjs only fetches named GitHub README URLs into scaffolded project docs.
    • build/index.mjs loads .env and uses Telegram/Binance features for explicit trading/UI modes; no credential exfiltration path found.
    • Dynamic loader imports user-selected strategy/config/module files, consistent with the package CLI’s stated execution role.
    • No writes to foreign AI-agent control paths, persistence locations, or hidden payload files found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 12 file(s), 398 KB of source, external domains: raw.githubusercontent.com

    Source & flagged code

    7 flagged · loading source
    build/index.cjsView file
    13var util = require('util'); L14: var child_process = require('child_process'); L15: var BacktestKitUi = require('@backtest-kit/ui');
    High
    Child Process

    Package source references child process execution.

    build/index.cjsView on unpkg · L13
    13Cross-file remote execution chain: build/index.cjs spawns build/index.mjs; helper contains network access plus dynamic code execution. L13: var util = require('util'); L14: var child_process = require('child_process'); L15: var BacktestKitUi = require('@backtest-kit/ui'); ... L154: message: functoolsKit.getErrorMessage(error), L155: data: functoolsKit.errorData(error), L156: }, null, 2); ... L407: const __filename$3 = url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tag... L408: const __dirname$3 = path.dirname(__filename$3); L409: let _is_launched = false; ... L940: let allData = ""; L941: ps.stdout.on("data", (data) => { L942: allData += data.toString("ascii");
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    build/index.cjsView on unpkg · L13
    4528const npm = process.platform === "win32" ? "npm.cmd" : "npm"; L4529: const child = child_process.spawn(npm, ["install"], { cwd, stdio: "inherit", shell: true }); L4530: child.on("close", (code) => { L4531: if (code !== 0) { L4532: reject(new Error(`npm install exited with code ${code}`)); L4533: return;
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    build/index.cjsView on unpkg · L4528
    2970try { L2971: eval(self.params.babel.transpile(code, path)); L2972: }
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    build/index.cjsView on unpkg · L2970
    build/index.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = @backtest-kit/cli@15.0.0 matchedIdentity = npm:QGJhY2t0ZXN0LWtpdC9jbGk:15.0.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    build/index.mjsView on unpkg
    4496const npm = process.platform === "win32" ? "npm.cmd" : "npm"; L4497: const child = spawn(npm, ["install"], { cwd, stdio: "inherit", shell: true }); L4498: child.on("close", (code) => {
    High
    Shell

    Package source references shell execution.

    build/index.mjsView on unpkg · L4496
    template/project/config/symbol.config.tsView file
    1const { str } = require("functools-kit"); L2:
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    template/project/config/symbol.config.tsView on unpkg · L1

    Findings

    1 Critical4 High4 Medium5 Low
    CriticalPrevious Version Dangerous Deltabuild/index.mjs
    HighChild Processbuild/index.cjs
    HighShellbuild/index.mjs
    HighCross File Remote Execution Contextbuild/index.cjs
    HighRuntime Package Installbuild/index.cjs
    MediumDynamic Requiretemplate/project/config/symbol.config.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvalbuild/index.cjs
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings