Back to skill
Skillv0.3.2
ClawScan security
TradeMemory Protocol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 10:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, optional environment variables, and runtime instructions are consistent with an MT5/trading-memory integration; network installs and optional external-API usage are expected but should be reviewed before running.
- Guidance
- This skill is coherent with its stated purpose, but take these precautions before installing or running it: 1) Review the tradememory-protocol package code (server/reflection logic) on PyPI/GitHub before pip installing and before running the server. 2) Only provide MT5 credentials if you understand they will be stored in a local .env file and used to connect to your MT5 terminal; the setup prints account info locally during verification. 3) Do not set ANTHROPIC_API_KEY unless you are willing to send (allegedly anonymized) trading-pattern data to Anthropic — audit what is sent. 4) Run installation and server in an isolated environment (virtualenv/container) and avoid running as root. 5) Note MT5 Python API usage is Windows-specific; on macOS/Linux you must use manual recording, the REST API, or your own sync script. Review the GitHub repo and package release provenance if you need higher assurance.
Review Dimensions
- Purpose & Capability
- okThe name/description (trading memory for MT5/forex) matches the provided artifacts: SKILL.md documents MT5 sync, local server, and AI reflections; scripts install the Python package and set up MT5 sync. Required binaries (python3, pip) are appropriate. Optional env vars (MT5 credentials, ANTHROPIC_API_KEY, TRADEMEMORY_API) all have clear, relevant purposes.
- Instruction Scope
- noteSKILL.md and the scripts instruct the agent to pip install the package, run a local server (python -m src.tradememory.server), and run a mt5_sync.py sync script that reads MT5 credentials from a local .env. The sync/test code prints local account info when connecting to MT5 (balance/account ID). The instructions do not contain hidden exfiltration paths, but they do guide the user to run a server and optional networked reflection calls (Anthropic) if configured — you should review the package's server/reflection implementation (installed from PyPI) before enabling external APIs.
- Install Mechanism
- noteInstallation is via pip (tradememory-protocol from PyPI) and git clone from the linked GitHub repo — standard for Python projects. This requires downloading and executing code from external sources (PyPI/GitHub). This is expected for this type of skill, but it is a network install that should be reviewed (check the PyPI package contents and the GitHub repo) before running in a sensitive environment.
- Credentials
- okNo required environment variables are forced by the registry; SKILL.md documents several optional sensitive variables (MT5_LOGIN, MT5_PASSWORD, MT5_SERVER, ANTHROPIC_API_KEY, TRADEMEMORY_API). Each is justified by the functionality (MT5 sync, LLM reflections, custom API endpoint). They are optional and scoped to the project (.env). Note: enabling ANTHROPIC_API_KEY causes data to be sent to Anthropic (albeit described as anonymized).
- Persistence & Privilege
- okThe skill does not request always:true and does not attempt to modify other skills or system settings in the provided scripts. The installer and setup operate in the project directory and do not require elevated privileges. The agent-autonomy default is unchanged (disable-model-invocation:false), which is expected and not by itself a concern.