ClawHub

tqsdk

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate futures/options trading SDK reference, but it gives copy-paste live trading and credential examples without enough safeguards for real-money accounts.

Install only if you intentionally want an agent to help with TqSdk futures/options workflows. Treat all order examples as capable of affecting a real account, use TqSim or backtesting first, keep real credentials out of prompts and source files, and require explicit human confirmation plus strict symbol, volume, and loss limits before any live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document provides concrete live order-placement examples, including market and limit orders, without prominent warnings that these commands can place real trades or guidance to validate strategies in simulation/backtest first. In a trading SDK, copy-paste examples materially lower the barrier to accidental real-money execution, especially because the same document also shows live account initialization nearby.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README includes a direct live trading example using `api.insert_order(...)` with real authentication credentials and no adjacent warning that the code can place actual market orders. In an agent-skill context, users may copy or automate examples without recognizing that this is not a simulation, which can lead to unintended financial loss or unauthorized trading activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes concrete live-trading order placement examples, including marketable orders and continuous event loops, without an explicit warning that these actions can affect real-money accounts. In an agent skill context, this increases the chance that a user or automated agent will run examples against production credentials and place unintended trades, causing financial loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples instruct users to pass username and password directly into the SDK without any credential-handling guidance. In an AI-agent setting, this can encourage users to paste secrets into prompts, source files, logs, or shared environments, increasing the risk of credential leakage and subsequent account compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal