Jquants Mcp
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: jquants-mcp Version: 0.1.2 The OpenClaw AgentSkills bundle for 'jquants-mcp' appears benign. It provides access to the J-Quants API for stock market data. The `SKILL.md` file clearly outlines the skill's purpose, commands, and setup, including the requirement for `JQUANTS_MAIL_ADDRESS` and `JQUANTS_PASSWORD` environment variables, which is a standard practice for API authentication and not indicative of credential theft. The installation instructions use `uv` to install the `jquants-mcp` Python package, and all command examples invoke the `jquants-mcp` binary with expected arguments. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed tool may authenticate to J-Quants using your account credentials to retrieve market data.
The skill asks for J-Quants account credentials. That matches the stated API-access purpose, but users should recognize they are granting account-authenticated access.
Requires `JQUANTS_MAIL_ADDRESS` and `JQUANTS_PASSWORD` environment variables
Use a dedicated J-Quants account if possible, store credentials as environment variables only, and avoid sharing logs or outputs that may expose account details.
Installing the skill will install and run code from the named package source, so package provenance matters.
The skill depends on an external package-installed binary. This is normal for a CLI/MCP integration, but the provided artifacts do not include package source details beyond the package name.
uv | package: jquants-mcp | creates binaries: jquants-mcp
Before installing, verify the package publisher and version, and install only from a trusted package index or pinned source.