Mt5 Trading Assistant Pro

Security checks across malware telemetry and agentic risk

Overview

This trading skill is mostly on-purpose, but it asks for sensitive MT5 account access and trading authority while leaving important safeguards and storage details unclear.

Install only if you are comfortable giving an agent access to MT5 trading details. Prefer a demo or read-only account first, require manual confirmation for every order or strategy activation, and verify where credentials and trade logs are stored and how to delete them before using live funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill encourages very broad natural-language commands such as executing strategies, backtesting, and adjusting parameters without clearly constraining what actions require explicit confirmation, scope validation, or safe defaults. In a trading automation context, ambiguous activation is more dangerous than usual because a misinterpreted user utterance could trigger analysis, strategy changes, or even trade preparation with financial consequences.

Vague Triggers

Low

Confidence: 79% confidence
Finding: Examples like "Show me current opportunities" and "Scan the market" are generic and lack scope constraints such as symbols, watchlists, timeframes, or whether scanning may lead into automated recommendations or execution flows. In this skill, that looseness increases the chance of unintended activation or overly broad autonomous behavior, especially since the product markets itself as autonomous and action-oriented trading automation.

Ssd 2

High

Confidence: 98% confidence
Finding: The changelog explicitly states the author changed credential-related wording to reduce security scanner detections while preserving the same functionality. That is a strong indicator of deliberate evasion, especially in a trading automation skill that stores credentials locally and can initiate sensitive financial actions, making hidden credential handling significantly more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal