mt5_trade

The skill is suspicious due to a significant shell injection vulnerability (RCE risk) in SKILL.md. The instructions explicitly tell the AI agent to construct PowerShell commands by dynamically inserting JSON payloads (e.g., '<PASTE_DRAFT_JSON_HERE>' for /order_confirm) without any mention of sanitization or escaping. If an attacker can control the content of the JSON payload, they could inject arbitrary PowerShell commands, leading to remote code execution. While the stated purpose is to interact with a local trading API, this critical flaw allows for exploitation beyond the intended functionality.