Back to skill

Security audit

tqsdk-query

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tianqin/TQSDK market-data reader, with credential and dependency cautions but no evidence of hidden, destructive, or unrelated behavior.

Install this only if you are comfortable providing a Tianqin/TQSDK username and password as environment variables. Prefer credentials limited to market-data access, keep those variables scoped to this skill, and consider pinning dependency versions for reproducible deployments. Also verify or remove the missing tqsdk_client import before relying on the skill, because it may prevent the package from loading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation explicitly requires secrets in environment variables (`TQ_USERNAME`, `TQ_PASSWORD`) while declaring no permissions, creating a mismatch between documented behavior and declared security boundaries. This can lead to overbroad or implicit secret access, reduced user visibility into what sensitive data the skill needs, and weaker review/auditing of credential handling.

Unpinned Dependencies

Low
Category
Supply Chain
Content
tqsdk>=3.0.0
pandas>=1.3.0
Confidence
93% confidence
Finding
tqsdk>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
tqsdk>=3.0.0
pandas>=1.3.0
Confidence
97% confidence
Finding
pandas>=1.3.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.