mt5-httpapi
v1.2.0MetaTrader 5 trading via REST API — get market data, place/modify/close orders, manage positions, pull history. Use when you need to interact with forex/cryp...
⭐ 3· 1.3k·1 current·1 all-time
byCiprian Mandache@psyb0t
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the instructions: the SKILL.md documents a REST interface to an MT5 instance and the references/setup.md explains how to run that instance and supply broker credentials. All required artifacts (API URL, optional token, broker credentials, MT5 installer) are coherent with a trading API.
Instruction Scope
SKILL.md expects environment variables (MT5_API_URL and optionally MT5_API_TOKEN) and uses curl to call API endpoints — fine for its purpose — but the registry metadata did not declare these envs. references/setup.md also instructs copying Cloudflare credentials from ~/.cloudflared and placing broker login/passwords in config/accounts.json. Those instructions involve handling sensitive secrets and exposing the API publicly; the docs also say the API can run without auth if the token file is missing (insecure).
Install Mechanism
This is an instruction-only skill (no install spec or code executed by the agent). Setup instructs cloning a GitHub repo and using Docker/KVM to provision a Windows VM and MT5; those are normal user-run operations and not performed by the agent itself. No arbitrary remote binaries are installed by the platform on behalf of the agent.
Credentials
The skill requires sensitive data for its function: broker login/password and an API token (and optionally Cloudflare tunnel credentials for public exposure). These are proportionate to a trading API, but the registry omitted declaring MT5_API_URL/MT5_API_TOKEN. Be cautious about where you store the broker credentials and cloudflared creds and avoid running the API without an auth token.
Persistence & Privilege
always:false and normal agent invocation are used. The skill does not request elevated platform privileges or modify other skills. However, because it enables automated trading, allow-listing or strict confirmation controls on autonomous agent actions are recommended to prevent unintentional trades.
Assessment
This skill appears to do what it says: controlling MetaTrader 5 via a local HTTP API. Before installing, note: (1) you will need to host an MT5 instance (VM + Docker) and supply broker credentials and an API token — these are sensitive, so store them securely; (2) the skill/docs instruct copying Cloudflare tunnel credentials if you want public access — that copies sensitive files from your home directory and should only be done if you understand the exposure; (3) the registry metadata omitted declaring MT5_API_URL/MT5_API_TOKEN even though SKILL.md requires them — verify env vars are configured; (4) the API can run without auth if the token file is missing — do not expose an unauthenticated trading API; (5) because the agent can invoke the skill autonomously, restrict or require confirmation for any actions that place/modify/close trades to avoid accidental financial loss.Like a lobster shell, security has layers — review code before you run it.
latestvk97esrfvnnm469djygv9qce0th84f03x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.