Skillv1.0.3

ClawScan security

QMT · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 23, 2026, 10:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is documentation + examples for the QMT/xtquant trading client and is internally consistent with that purpose; it does not request unrelated credentials or install arbitrary code, but the examples can interact with a local trading client and place real orders so use caution.
Guidance: This bundle is documentation and examples for the QMT / xtquant trading client and appears coherent. Before using: (1) do not run example code against a real brokerage account — test with a sandbox or paper/trading-enabled test account; (2) review the xtquant package source and only install it from a trusted source (pip package provenance); (3) be aware the demos assume a local QMT/miniQMT client (Windows) and local data paths; (4) never paste real account credentials into code you did not audit, and confirm broker permissions before enabling automated orders.

Review Dimensions

Purpose & Capability: okName/description claim a QMT trading terminal and the package files, requirements (python3, xtquant) and examples all match that purpose. Required binaries/env/configs are proportional to a Python trading SDK that connects to a local QMT/miniQMT client.
Instruction Scope: noteSKILL.md and included demos contain direct examples of trading calls (order_shares, cancel, connect/subscribe) and reference local QMT paths and account IDs. This is expected for a trading integration, but those instructions, if executed, will interact with brokerage APIs and can place real trades — the agent/docs do not themselves request secrets but they do assume access to a running QMT/miniQMT client and broker-enabled accounts.
Install Mechanism: okNo install spec is provided (instruction-only plus docs). requirements.txt lists xtquant and numpy which is appropriate for the described SDK; nothing is downloaded from arbitrary URLs and no archive extraction is present.
Credentials: noteThe skill does not request environment variables, secrets, or unusual config paths. It does expect local QMT/miniQMT installation directories and account identifiers to be used by the examples — those are reasonable for a trading SDK but are sensitive (account IDs, broker access) and should be handled carefully by the user.
Persistence & Privilege: okSkill is not always-enabled and does not request persistent system privileges or attempt to modify other skills. It is user-invocable and may be invoked autonomously by the agent (platform default), which is normal for skills.