ClawHub

myquant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MyQuant trading SDK reference, but users must treat its live-trading examples and token handling as financially sensitive.

Install only if you intend to use the MyQuant/GoldMiner trading platform. Keep GM_TOKEN private, prefer environment variables or a secret manager, pin dependencies for production, test in backtest or simulated mode first, and do not run MODE_LIVE, order_close_all(), order_cancel_all(), margin functions, or market-order snippets against a real brokerage account without deliberate confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication example encourages `set_token("your_token_here")`, which normalizes hardcoding credentials directly in source code. In practice, users often copy examples verbatim, leading to token leakage through repositories, logs, screenshots, or shared scripts, which could enable unauthorized access to trading or data APIs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README includes executable order-placement examples using market orders in a trading SDK context, but it does not clearly warn that the same code shape can be used in live mode and place real trades affecting funds and positions. In an agent-skill ecosystem, users may copy examples directly or run them with real credentials, so the absence of prominent live-trading safety warnings materially increases the risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README shows token setup and also demonstrates inline token usage via set_token("your_token_here") and run(..., token="your_token", ...), without warning against hardcoding or exposing credentials. This can normalize insecure secret handling, leading users to embed API tokens in code, shell history, shared notebooks, or repositories where they can be stolen and used for unauthorized trading or account access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents APIs and examples that can place real orders and modify live positions, but it does not present a strong, prominent warning that the same code paths may execute against live or broker-connected accounts. In a trading skill, omission of explicit safety guidance materially increases the risk of accidental real-money execution by users or agents that copy examples verbatim.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples include portfolio-wide destructive operations such as order_cancel_all() and order_close_all() without an explicit warning about their full-account impact. In a brokerage-connected environment, these calls can rapidly cancel pending orders or liquidate positions across an account, causing unintended financial loss and operational disruption.

Unpinned Dependencies

Low
Category
Supply Chain
Content
gm>=3.0.0
pandas>=1.5.0
numpy>=1.20.0
Confidence
94% confidence
Finding
gm>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
gm>=3.0.0
pandas>=1.5.0
numpy>=1.20.0
Confidence
92% confidence
Finding
pandas>=1.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
gm>=3.0.0
pandas>=1.5.0
numpy>=1.20.0
Confidence
92% confidence
Finding
numpy>=1.20.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal