Back to skill
Skillv1.0.2
ClawScan security
tqsdk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 23, 2026, 10:01 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be a straightforward wrapper/documentation for the official TqSdk trading library, but there are metadata inconsistencies around credential requirements and packaging that you should resolve before installing or providing credentials.
- Guidance
- This skill appears to be documentation and examples for the official TqSdk Python library. Before installing or using it: 1) Verify the package source and version (prefer the official GitHub repo or PyPI entry for shinnytech/tqsdk). 2) Be cautious providing trading credentials: the bundle's metadata.json lists TQ_USERNAME/TQ_PASSWORD but the registered skill claims no required env vars — confirm how and where credentials will be stored and used by the agent. 3) Understand that 'pip install tqsdk' will download and execute third-party code; inspect the upstream project (GitHub/PyPI) if you need to audit code. 4) Limit network and credential exposure where possible (use least-privilege test accounts for initial trials). If you want to proceed, fix or clarify the metadata discrepancy with the skill author so the platform correctly prompts for credential configuration.
Review Dimensions
- Purpose & Capability
- concernThe skill's name, README, and SKILL.md describe the TqSdk trading SDK and include examples that require a trading username/password (TqAuth). That capability legitimately requires credentials and network access to the vendor. However, the registry metadata at the top-level shows "Required env vars: none" while metadata.json lists TQ_USERNAME and TQ_PASSWORD — this mismatch is unexplained and inconsistent.
- Instruction Scope
- okSKILL.md contains usage instructions and code examples that tell the agent to import and use the tqsdk Python library and to pip install tqsdk. The instructions do not ask the agent to read arbitrary system files or to exfiltrate data. They do implicitly cause network activity (connect to Shinnytech/TqSdk services) which is expected for a trading SDK.
- Install Mechanism
- okThere is no formal install spec in the skill bundle (instruction-only). The docs recommend 'pip install tqsdk', which is standard. Note: pip installing a package executes code obtained from PyPI (or wherever pip resolves to); this is normal but carries the usual supply-chain risk — verify the package source/version before installing.
- Credentials
- concernRequesting trading credentials (username/password) is proportionate to the skill's purpose, but there's a clear inconsistency: the file metadata.json declares env variables TQ_USERNAME and TQ_PASSWORD (and README mentions setting them), whereas the skill registration metadata lists no required env vars. This mismatch could lead to credentials not being requested/handled as expected by the platform or accidentally forwarded. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not marked 'always: true' and does not request elevated or persistent platform privileges. It is user-invocable and allows normal autonomous invocation (the platform default). It does not attempt to modify other skills or global agent settings.