ClawHub

实现基于qmt智能交易终端的A股交易数据本地化

Security checks across malware telemetry and agentic risk

Overview

This is a coherent QMT-based A-share market-data downloader with expected local file writes and process launching, not a hidden data-stealing or destructive skill.

Install only if you intend to use QMT for A-share historical market-data downloads. Before running it, verify config.json points to the correct QMT installation and a safe data directory, expect potentially large CSV writes or overwrites, and use the localhost web UI only on a machine you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 假设 QMT 安装路径在配置中或固定
    qmt_path = r"C:\Program Files\XtMiniQmt\XtMiniQmt.exe"  # 需根据实际路径配置
    try:
        subprocess.Popen([qmt_path], shell=True)
        print(f"[QMT] 已启动: {qmt_path}")
    except Exception as e:
        print(f"[ERROR] 启动 QMT 失败: {e}")
Confidence
94% confidence
Finding
subprocess.Popen([qmt_path], shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[QMT] 正在启动: {exe_path}")
    try:
        # 使用 subprocess 启动,不等待完成
        subprocess.Popen(
            [exe_path],
            cwd=qmt_path,
            shell=True,
Confidence
98% confidence
Finding
subprocess.Popen( [exe_path], cwd=qmt_path, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases such as “下载交易数据”, “获取历史数据”, and “下载历史数据” are overly generic and are likely to match many ordinary user requests unrelated to this specific skill. This can cause unintended invocation of the skill, increasing the chance that users are routed into code paths that download data, start services, or interact with local QMT resources without sufficiently specific intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal