Back to skill
Skillv1.0.3
ClawScan security
xtquant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 23, 2026, 10:06 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's docs and runtime instructions match a legitimate xtquant SDK (which connects to a local MiniQMT trading client), but there are small inconsistencies in metadata and platform assumptions that warrant caution before installing and running it.
- Guidance
- This appears to be documentation for the real xtquant Python SDK (which connects to a local MiniQMT/QMT trading client). Before installing or running it: 1) Verify the package source on PyPI and the vendor homepage (confirm package owner, checksums, or official repo) — the skill metadata shows small inconsistencies (version/owner IDs) that could indicate an unreviewed bundle. 2) Note the SDK expects a local MiniQMT client (Windows) and will interact with local trading data directories; only run it on a machine where you trust the broker client and where you are comfortable allowing trading operations. 3) Run pip install in a virtualenv or isolated environment and inspect the installed package code. 4) If you plan automation, confirm broker authentication is managed by MiniQMT (not provided to this skill) and avoid giving unrelated secrets to the agent. 5) If anything about ownership or download URLs looks unfamiliar, prefer obtaining the SDK directly from the vendor or an official repository and double-check the package signature/metadata.
Review Dimensions
- Purpose & Capability
- okName/description, README and SKILL.md consistently describe an xtquant SDK that provides market data and trading via a local MiniQMT/QMT client; required binary (python3) and pip install guidance are coherent with that purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to pip install xtquant and to connect to a local MiniQMT/QMT client via TCP and to read MiniQMT data directories (e.g., userdata_mini). It does not request unrelated files or external endpoints beyond the vendor site and PyPI. However it assumes a Windows-local MiniQMT process — yet the skill has no OS restriction; the instructions also reference local filesystem paths which are environment-specific.
- Install Mechanism
- noteThere is no built-in install spec (instruction-only). The docs tell users to pip install xtquant (PyPI) or download from the vendor site. That is expected for a Python SDK, but it means pip/network downloads will occur at install time; the homepage is a vendor site (thinktrader.net) rather than a well-known code repo, so users should verify the pip package source before installing.
- Credentials
- okThe skill does not request environment variables or credentials. Trading functionality relies on a local MiniQMT client and broker-side credentials configured in that client, which is proportionate to the stated trading purpose.
- Persistence & Privilege
- okalways:false and disable-model-invocation:false (normal). The skill does not request permanent platform privileges or attempt to modify other skills' configs.