QMT Development

Security checks across malware telemetry and agentic risk

Overview

This is a QMT trading-development reference skill with live-trading examples, but it does not install code, run commands, or hide unrelated behavior.

Install only if you want Chinese-language QMT development guidance. Treat generated or copied live-trading code as financially sensitive: review every passorder call, account identifier, signal file path, duplicate-order control, stop-loss rule, and QMT-side capital/risk limit before using it with a real account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill declares automatic triggers using broad terms such as “QMT” and especially “实盘”, which can appear in many normal finance or trading conversations. This can cause the skill to activate outside the author's intended scope, injecting domain-specific trading guidance into unrelated contexts and increasing the chance of unsafe or confusing automation.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill metadata and content are entirely in Chinese and imply a fixed-language interaction model without stating user choice or fallback behavior. In multilingual environments, this can lead to misunderstandings of trading or risk-control instructions, which is especially problematic for a finance-related skill where misinterpretation can affect real-money decisions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal