QMT
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent QMT trading skill, but it includes live trading and account-access examples without clear agent-level safeguards, so users should review it carefully before use.
Use this skill only if you understand QMT and intend to work with a broker-authorized trading environment. Keep generated strategies in backtest or simulation first, review every account ID, symbol, quantity, price, and order type, and do not allow autonomous live trading, cancellations, or transfers without explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user runs similar generated code against a logged-in QMT account, it could place real market orders and cause financial loss.
The skill provides a scheduled live-order example that can place a trade when connected to QMT, but the artifacts do not add explicit agent confirmation, dry-run defaults, or trade limits.
def market_open(ContextInfo):
order_shares('600519.SH', 100, 'fix', 0, ContextInfo, '市价委托')Require explicit user approval before any live order, cancellation, fund transfer, or account mutation; default generated examples to backtest or simulation mode; show account, symbol, side, quantity, price, and estimated impact before execution.
A connected QMT session may expose sensitive account, asset, order, trade, and position information and can authorize trading actions through the local client.
The documentation shows use of a local MiniQMT userdata/session path and a broker account object to subscribe and query assets, but the skill metadata declares no credential or config-path boundary.
path = 'D:\\迅投极速交易终端 睿智融科版\\userdata_mini'
acc = StockAccount('1000000365')
xt_trader.subscribe(acc)
asset = xt_trader.query_stock_asset(acc)Clearly document required account/session access, limit use to user-specified accounts, avoid printing sensitive account details by default, and require confirmation before using any live broker session.
Installing packages from an unexpected source or newer unreviewed version could affect a trading environment.
The skill has no repository provenance in metadata and uses lower-bound package requirements; this is common documentation/setup behavior but worth noticing for a trading-related integration.
"repository": "", "packages": [ "xtquant>=1.0.0", "numpy>=1.20.0" ]
Install xtquant only from the official broker/vendor-recommended source, consider pinning known-good versions, and review the package before using it with a live account.