Tigerbrokers
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed Tiger Brokers SDK reference skill, but it involves real trading credentials and order-placement capabilities, so users should keep it in paper or read-only mode unless they intentionally want live trading.
Install only if you intend to work with Tiger Brokers APIs. Keep credentials private, start in paper trading or MCP read-only mode, preview all orders, and require explicit confirmation before any live trade.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a live Tiger Brokers account, generated code or connected tools could submit, modify, or cancel real trades.
The skill documents real order placement but also includes user-confirmation and paper-trading safety rules, making this high-impact but purpose-aligned.
**默认使用模拟账户。Default to Paper Trading.** ... **二次确认 Confirm with user** ... **执行下单 Execute**: 确认后执行 `place_order()`
Use paper trading by default, preview orders first, and require explicit user approval before any live order.
Anyone or any tool with these credentials may be able to query account data and, depending on account setup, trade on the user’s behalf.
The skill requires broker identity, private key, and account credentials, which are necessary for the stated API integration but grant sensitive account access.
requires: env: - TIGEROPEN_TIGER_ID - TIGEROPEN_PRIVATE_KEY - TIGEROPEN_ACCOUNT
Store credentials securely, avoid pasting private keys into chat, use least-privilege/read-only modes where available, and rotate keys if exposed.
An AI editor connected to this MCP server may be able to access account data and trading functions through the broker API.
The MCP setup intentionally exposes broker API tools to AI editors, including trading tools unless read-only mode is enabled.
Tiger MCP Server exposes Tiger OpenAPI as MCP tools for AI editors ... `place_order` ... `cancel_order` ... (只读模式禁用 disabled in read-only)
Start with `TIGERMCP_READONLY=true`, review the editor’s tool-call approval settings, and only disable read-only mode when you are prepared to approve live trading actions.
Running remote install scripts can execute code on the user’s machine outside the reviewed skill artifacts.
The setup guide includes remote installer commands for uv; this is common developer tooling, but it executes code fetched from the network.
curl -LsSf https://astral.sh/uv/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Verify installer URLs and package provenance before running them, and prefer pinned or reviewed installation methods in sensitive environments.