qmt-docs

Warn

Audited by Snyk on May 23, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's required workflow and code examples (e.g., references/backtesting-guide.md and various references/dict/*.md) explicitly instruct using xtdata.get_market_data_ex, xtdata.subscribe_quote and xtdata.download_history_data to fetch public market data from external sites (e.g., dict.thinktrader.net / xuntou.net), and that fetched third‑party data is read and used to drive trading decisions and orders (passorder), so untrusted external content can materially influence tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). 该技能文档明确为 QMT 策略交易系统的开发指南,包含“交易 API(下单、查询函数)”、实盘指南、回测与实盘代码示例等。示例代码中有直接下单调用(例如 passorder(...)),并且存在“实盘指南”“交易函数”“执行机制”等专门用于下单与实时交易的接口。根据规则,这些是专门用于发起金融交易/移动资金的接口,属于直接金融执行能力。

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 23, 2026, 04:29 PM
Issues
2
Security Audit — snyk — qmt-docs