文华8麦语言量化开发

Security checks across malware telemetry and agentic risk

Overview

This is a WT8 trading-strategy reference skill with risky trading examples, but I found no hidden execution, credential access, persistence, or deceptive behavior.

Use this as a reference for WT8 syntax and strategy drafting, not as production-ready financial advice. Do not copy generated strategies into a live trading account without manual review, backtesting or paper trading, account/environment checks, position and loss limits, and explicit human approval before any real-money execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: Template 6 describes pre-close breakout entry behavior, but the channel bounds are computed using the current bar, so the breakout condition can be self-referential or inconsistent with the stated trading logic. In a live trading context this can cause premature, missing, or misleading signals, which is dangerous because users may deploy it believing it behaves as documented during real-money execution.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The code is labeled as a trend-reversal close section, but the commands used can reverse or initiate opposing positions rather than performing a close-only action. In an automated trading template, that semantic mismatch can materially increase exposure and create unintended trades when users expect only risk reduction.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This document provides executable automated trading logic, including entry, exit, and stop-loss behavior, but does not include any warning about financial risk, live-order consequences, slippage, or the need for simulation before deployment. In the context of an agent skill or example library, users may treat the sample as ready-to-run guidance and unknowingly deploy strategies that cause real financial loss or unintended order execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This example contains executable trading logic that opens short positions and closes positions based on market conditions, but the surrounding documentation provides no warning that these commands may affect live orders, capital, or real accounts if copied into a production environment. In a trading skill, omission of risk disclosure materially increases the chance that users treat example code as safe to run, leading to unintended financial loss.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This section includes multi-condition entry, exit, and stop-loss logic for a three-cycle resonance strategy, again without any user-facing caution that the code can trigger live position changes and financial exposure. Because the file presents multiple ready-to-use strategies in a how-to format, the context makes accidental operational use more likely and therefore increases the practical risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This example file provides executable trading risk-control patterns, including stop-loss, take-profit, breakeven, and equity-based liquidation logic, but contains no warning that these rules can automatically close positions, lock in losses, or trigger full account-level exits. In a trading skill context, omission of risk disclosures and safe-use guidance can cause users to deploy the examples directly in live environments without understanding account impact, parameter sensitivity, or market-specific behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document explicitly teaches use of SIGCHECK to place orders before a candle has closed and later recommends market-price execution for stop signals, but it does not provide an explicit warning about signal flicker, slippage, false positives, or unintended live-trading consequences. In a trading-execution skill, this increases the chance that users deploy risky behavior directly in production without understanding that pre-close signals can disappear and market orders can fill at materially worse prices.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README promotes account queries, order placement, simulated/live execution, and backtesting without any explicit warning about financial risk, real-account consequences, or the need for user confirmation before trades. In a trading assistant, this omission can lead users or downstream agents to treat generated trading actions as safe defaults, increasing the chance of unintended real-money trades or misuse in live environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file presents 'production' and live-trading-oriented templates as ready for real deployment without prominent warnings about real-money loss, slippage, execution differences, and the need for staged validation. In this skill context, the absence of safety guidance increases danger because users may treat the examples as operationally safe defaults and deploy them directly to live accounts.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill advertises very broad capabilities including market queries, backtesting, order placement, and simulation, but does not define invocation boundaries, safety checks, or when trading actions are permitted. In an agent setting, this ambiguity can lead to overreach or unsafe execution of high-risk financial actions based on underspecified user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal