Automates MetaTrader 5 trading: connect, monitor accounts, execute buy/sell orders with SL/TP, retrieve market data, and manage positions via scripts.
Security Analysis
high confidenceThe skill's code and instructions match its stated MT5 trading purpose, but multiple scripts contain hardcoded account credentials and the package declares no required secrets — a disproportionate and risky mismatch that you should fix or understand before running.
Name and description align with what the files implement: Python scripts using the MetaTrader5 package to connect, read market data, and place/close orders. Requiring the MT5 desktop client and MetaTrader5 Python package is expected for this functionality.
SKILL.md stays within the trading domain and instructs users to modify configuration before use, but several runtime scripts include hardcoded account login/password/server values and call mt5.login() directly. The instructions tell users to edit scripts or create config.py, but do not mandate or enforce removal of the embedded credentials; the presence of those credentials in code expands the effective runtime scope (they will be used automatically if left unchanged).
No install spec or remote downloads are present (instruction-only + local code files). That reduces supply-chain risk — nothing is fetched or executed from third-party URLs by the skill itself.
The skill declares no required environment variables or primary credential, yet many scripts contain plaintext credentials (login: 277528870, password: "KKx88088@@@@", server: "Exness-MT5Trial5") and other example account data. This is disproportionate: sensitive credentials are embedded in code rather than being declared or recommended as environment/config inputs. Multiple scripts reuse the same hardcoded credentials, increasing exposure.
The skill is not always-enabled, is user-invocable, and does not request special platform privileges or modify other skills/configurations. Autonomous invocation is allowed (platform default) but not combined here with other high-privilege requests.
Guidance
This skill appears to implement the trading features it claims, but exercise caution before installing or running it: - Do not run these scripts against a live account until you have reviewed and replaced all credentials. Multiple scripts include plaintext account login/password/server values. Treat those as secrets and remove them from the repo. - Prefer using a config.py (kept out of version control) or environment variables (os.getenv) for MT5_LOGIN/MT5_PASSWORD/MT5_SERVER instead of hardcoded values. The SKILL.md recommends this, but the files still contain credentials that will be used if left unchanged. - Test only on a demo account first. A script can place/close real trades if connected to a live MT5 session and AutoTrading is enabled. - Restrict filesystem permissions on any config file you create and add config.py to .gitignore. Consider rotating passwords if you have ever run the included credentials. - Inspect the scripts yourself (they are plain Python) and remove unused example credentials. If you are concerned about an agent running the skill autonomously, avoid enabling autonomous invocation for agents that have access to real trading credentials. If you want, I can: (a) list every file/location where credentials appear, (b) suggest exact code edits to switch to environment variables, or (c) produce a safe config.py template using os.getenv().
Latest Release
v1.0.0
Initial release of mt5-trading-assistant – a comprehensive automation suite for MetaTrader 5 trading platforms. - Provides scripts for account monitoring, trade execution (buy/sell), closing positions, and retrieving market/K-line data. - Includes real-time tracking for balance, equity, open positions, margin, and leverage. - Supports execution of trades with optional stop loss/take profit and closing individual or all positions. - Offers configuration options via script modification or a dedicated config file, with broker-specific templates. - Features risk management tools including position size calculators and daily loss limits. - Comes with example scripts for connecting, monitoring, and testing MT5 integration.
Popular Skills
Published by @canvascn00-crypto on ClawHub
