mt5-trading-assistant
WarnAudited by ClawScan on May 10, 2026.
Overview
This MT5 skill matches its stated trading purpose, but it contains hardcoded broker credentials and scripts that can place or close trades without built-in confirmations or clearly enforced risk limits.
Do not run this against a real trading account as-is. Remove and rotate the embedded credentials, use a demo account first, require confirmation before each trade, verify that risk limits are actually enforced, and pin/install dependencies in an isolated environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the scripts as-is could access the embedded broker account, and users may be encouraged to put their own trading password directly into source files.
The script contains a hardcoded MT5 account number, password, and broker server. The registry metadata declares no primary credential or required environment variables, so credential use is under-declared and unsafe.
"login": 277528870, "password": "KKx...@@@@", "server": "Exness-MT5Trial5"
Remove hardcoded credentials, rotate any exposed password, declare the credential requirement, and load credentials only from a secure credential manager or environment variables.
A mistaken or autonomous invocation could close active trading positions or change a financial account in ways that may cause losses.
The close-all command can iterate over positions and submit MT5 order-closing requests directly. The artifact does not show an interactive confirmation, dry-run mode, or loss/risk guard before executing.
if command == "all":
success = close_all_positions()
...
result = mt5.order_send(close_request)Require explicit user confirmation before every trade or close-all action, add a dry-run default, limit symbols/accounts by configuration, and enforce stop-loss and maximum-loss rules before sending orders.
Users may trust the skill to enforce trading safety limits that are not actually implemented, increasing the chance of unintended financial exposure.
The documentation advertises risk-management limits, but the included trading scripts primarily parse user-supplied volume/price values and send MT5 orders; no clear enforcement of daily loss or risk-per-trade limits is shown.
- Risk percentage limits - Daily loss limits
Either implement and test the advertised risk controls in every order path or remove the claims. Make mandatory safeguards visible before users run live trades.
Users may install different package versions than the author tested, which can affect behavior or security.
The setup instructions use unpinned package installs. This is expected for an MT5 integration, but package versions and provenance are not locked down.
pip install MetaTrader5 ... pip install pandas numpy
Pin package versions, document verified sources, and install in an isolated Python environment.