Mt4 Trader
WarnAudited by ClawScan on May 12, 2026.
Overview
This skill can place and close real MT4 trades and depends on external EA binaries that were not part of the reviewed artifacts.
Install only if you fully trust the publisher and the external .ex4 files. Test on a demo account first, avoid enabling DLL import or startup auto-trading on a real account until reviewed, require explicit confirmation for every live trade, and configure any webhook or messaging integration carefully.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the MT4 EA is running, an agent or local process able to send bridge requests could place trades or close positions on the user's account.
The client sends trading commands as JSON request files, including direct buy and close-all actions. The provided artifacts do not show per-trade approval, lot limits, request authentication, or other safeguards around these high-impact requests.
_BRIDGE_DIR = os.environ.get("MT4_BRIDGE_DIR", ... "mt4_bridge") ... json.dump(request, f, ...) ... action "buy" ... action "close_all"Use a demo or low-risk account first, require explicit confirmation for every live trade, add symbol/lot/loss limits, and protect or authenticate the bridge request files.
Once installed and enabled, the skill can act with the privileges of the logged-in MT4 trading account, including live order placement and account-changing actions.
The setup delegates the user's live MT4 trading privileges, and DLL-loading permission, to the EA. This uses the existing MT4 account/session authority rather than a clearly scoped credential contract.
"允许实时交易" → ✅ 勾选(必须!) ... "允许导入 DLL" → ✅ 勾选 ... 建议在 MT4 设置中勾选"启动时启用自动交易"
Only enable live trading and DLL import for EA code you trust; prefer a dedicated demo or limited broker account, and document exactly which account, symbols, and permissions the bridge may use.
A changed, compromised, or misunderstood external .ex4 file could run inside MT4 with live-trading authority.
The reviewed package relies on externally downloaded closed MT4 binaries and copies them into MT4 EA/library execution directories. The artifacts do not provide source code, hashes, signatures, or pinned release provenance for those binaries.
GITEE_URL = "https://gitee.com/3603317/skill-plugin/tree/master/mt4" ... FILES = [("mt4_bridge.ex4", "Experts", ...), ("tools2.3.ex4", "Libraries", ...)] ... shutil.copy2(src, dst)Do not deploy the .ex4 files until the publisher provides verifiable hashes, signatures, source/provenance, and a pinned version; review the EA separately before enabling live trading.
A strategy may keep operating after the initial setup step, potentially affecting future trades until the user stops it.
The strategy can be enabled persistently and then run in MT4 until stopped. This is disclosed and purpose-aligned, but it is important for users to understand the continuing autonomous behavior.
config['enabled'] = True ... print("策略将在 MT4 中自动运行。") ... def stop_strategy(): config['enabled'] = FalseSet clear stop conditions, monitor active EAs, disable startup auto-trading unless needed, and verify that stop commands actually disable the MT4-side strategy.
Position details and account trading summaries could be shared with a message service or webhook endpoint.
The optional summary script can send position and profit/loss summaries to a configured messaging webhook. It defaults to localhost and skips sending without IDs, but a configured remote webhook would receive sensitive trading information.
WEBHOOK_URL = os.environ.get("SUMMARY_WEBHOOK_URL", "http://localhost:1608/api/message/send") ... payload = {"channel": CHANNEL, "to": USER_ID, "message": msg, "accountId": ACCOUNT_ID} ... requests.post(WEBHOOK_URL, json=payload, timeout=10)Only configure trusted webhook endpoints, use HTTPS for remote endpoints, avoid sending sensitive account details unnecessarily, and keep the recipient IDs private.