Emq
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent EMQ CLI helper, but it can log into an EMQ account and run portfolio/order/raw commands without explicit confirmation safeguards.
Install only if you trust the `emq-cli` package and the EMQ account you plan to use. Before allowing the agent to run portfolio, batch order, or raw pass-through commands, require it to show the exact command and get your explicit approval; start with read-only `auth status`, `market`, `quota`, and `portfolio list` commands whenever possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent runs these commands against an important EMQ account, it could create or change portfolio/order records in ways the user did not carefully review.
The skill documents batch portfolio order submission and raw pass-through order commands, but the artifacts do not add explicit confirmation, dry-run, portfolio/account scoping, or recovery guidance before these higher-impact actions.
emq portfolio order --code DEMO_PF --orders-file ./orders.json --remark "batch order" emq raw porder --code DEMO_PF --orders-file ./orders.json --remark "raw batch order"
Require explicit user approval before any `portfolio create`, `portfolio order`, `portfolio qorder`, `raw porder`, or orders-file command, and prefer read-only market/quota/status commands unless the user supplies exact order details.
The agent may operate with the permissions of the EMQ account used for login.
The skill expects EMQ account credentials and an authenticated CLI session. This is aligned with the EMQ integration purpose, but users should notice that account access is involved.
export EMQ_USER='your_user' export EMQ_PASS='your_pass' emq auth login
Use least-privilege/test credentials where possible, avoid sharing real passwords in chat history, and confirm account status before allowing mutating commands.
Installing the CLI runs code from the Python package source selected by pip, so users depend on that package being the intended and trusted one.
The skill tells the user or agent to install an external Python package without a pinned version in the artifact. This is expected for a CLI setup helper, but package provenance/version control is not shown.
pip install emq-cli emq --help
Install from a trusted package index, verify the package name and publisher, consider pinning a known-good version, and avoid installing in privileged/system Python environments.