Skillv1.0.0

ClawScan security

tqsdk-query · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 3:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs match its stated purpose (accessing TqSdk market data) and only require TQ credentials, but there are packaging and metadata inconsistencies (missing declared env vars and a missing local import) that warrant caution before installing.
Guidance: This skill appears to do what it says (fetch TqSdk market and kline data) and legitimately needs your TQ username/password. Before installing: (1) be aware you must set TQ_USERNAME and TQ_PASSWORD as environment variables — the registry metadata failing to list them is an oversight; (2) avoid putting high-privilege or primary account credentials in the skill without understanding risk — prefer a dedicated account if possible; (3) note the package imports a local module (.tqsdk_client) that is not present in the manifest — this may cause runtime errors; verify the package will install tqsdk and pandas in a controlled environment; (4) review network policy if you require that the skill only communicate with approved endpoints (tqsdk will contact ShinnyTech servers); and (5) if you are uncomfortable providing credentials, do not install or run the skill until these issues are resolved or run it in an isolated/sandboxed environment.

Review Dimensions

Purpose & Capability: noteThe name/description, SKILL.md, and code all consistently target the TqSdk market-data API and legitimately need a TQ username/password and the tqsdk/pandas dependencies. However, the published registry metadata claims no required environment variables even though SKILL.md and the code require TQ_USERNAME and TQ_PASSWORD — an inconsistency that may be an oversight but reduces transparency.
Instruction Scope: okRuntime instructions and code only read the declared credentials (TQ_USERNAME/TQ_PASSWORD) and the action parameters and call the tqsdk library to fetch market data. There are no instructions to read unrelated files, scan the host, or send data to unexpected endpoints. Network calls to tqsdk servers are expected for this purpose.
Install Mechanism: noteThere is no external download/install URL (no high-risk remote fetch). The package includes requirements.txt listing tqsdk and pandas (expected). The skill is packaged with Python code but no explicit install spec — platform may auto-install dependencies. This is reasonable but the packaging omission (no install spec) and included code file imply the environment must supply/allow Python dependency installation.
Credentials: noteOnly TQ_USERNAME and TQ_PASSWORD are needed which is proportional to the skill's purpose. However, the skill metadata does not list these required env vars even though SKILL.md and the code require them; that mismatch reduces clarity and could lead to accidental credential exposure or misconfiguration if a user assumes no sensitive env is needed.
Persistence & Privilege: okThe skill does not request permanent/global presence (always:false). It does not modify other skills or system configuration. It runs as an invoked handler and uses only its own runtime.