Back to skill
Skillv1.2.0
ClawScan security
mt5-httpapi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 6:27 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and setup match its stated purpose (controlling MT5 via an HTTP API); a few minor documentation/metadata inconsistencies and exposure/credential-handling risks are worth noting before you use it.
- Guidance
- This skill appears to do what it says: controlling MetaTrader 5 via a local HTTP API. Before installing, note: (1) you will need to host an MT5 instance (VM + Docker) and supply broker credentials and an API token — these are sensitive, so store them securely; (2) the skill/docs instruct copying Cloudflare tunnel credentials if you want public access — that copies sensitive files from your home directory and should only be done if you understand the exposure; (3) the registry metadata omitted declaring MT5_API_URL/MT5_API_TOKEN even though SKILL.md requires them — verify env vars are configured; (4) the API can run without auth if the token file is missing — do not expose an unauthenticated trading API; (5) because the agent can invoke the skill autonomously, restrict or require confirmation for any actions that place/modify/close trades to avoid accidental financial loss.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md documents a REST interface to an MT5 instance and the references/setup.md explains how to run that instance and supply broker credentials. All required artifacts (API URL, optional token, broker credentials, MT5 installer) are coherent with a trading API.
- Instruction Scope
- concernSKILL.md expects environment variables (MT5_API_URL and optionally MT5_API_TOKEN) and uses curl to call API endpoints — fine for its purpose — but the registry metadata did not declare these envs. references/setup.md also instructs copying Cloudflare credentials from ~/.cloudflared and placing broker login/passwords in config/accounts.json. Those instructions involve handling sensitive secrets and exposing the API publicly; the docs also say the API can run without auth if the token file is missing (insecure).
- Install Mechanism
- okThis is an instruction-only skill (no install spec or code executed by the agent). Setup instructs cloning a GitHub repo and using Docker/KVM to provision a Windows VM and MT5; those are normal user-run operations and not performed by the agent itself. No arbitrary remote binaries are installed by the platform on behalf of the agent.
- Credentials
- noteThe skill requires sensitive data for its function: broker login/password and an API token (and optionally Cloudflare tunnel credentials for public exposure). These are proportionate to a trading API, but the registry omitted declaring MT5_API_URL/MT5_API_TOKEN. Be cautious about where you store the broker credentials and cloudflared creds and avoid running the API without an auth token.
- Persistence & Privilege
- okalways:false and normal agent invocation are used. The skill does not request elevated platform privileges or modify other skills. However, because it enables automated trading, allow-listing or strict confirmation controls on autonomous agent actions are recommended to prevent unintentional trades.