Questrade
v1.0.0Access Questrade brokerage accounts and Canadian/US market data for balances, positions, orders, executions, Level 1 quotes, historical candles, and symbol s...
⭐ 0· 250·0 current·0 all-time
byJose Herrera@josemiguelherrera
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description match the included code: it accesses Questrade account and market data. However the registry metadata declares no required environment variables or primary credential, while the SKILL.md and the script clearly require a Questrade refresh token (QUESTRADE_REFRESH_TOKEN) and optionally QUESTRADE_PRACTICE / QUESTRADE_READ_ONLY. That omission is an inconsistency — a credential is required for the stated purpose but not declared.
Instruction Scope
The runtime instructions and the Python script are focused on Questrade API calls only. They instruct users to provide a refresh token via env var or ~/.openclaw/credentials/questrade.json. The script reads/writes that credentials file and a token cache at ~/.openclaw/data/questrade-token-cache.json (it also updates the in-process env). These file reads/writes and network calls are within scope for this broker API skill, but the auto-saving of rotated refresh tokens to disk is a behavior users should be aware of.
Install Mechanism
This is an instruction-only skill with a small Python script and a requirements.txt (requests). No remote downloads, installers, or obscure third-party packages are used. Installing via pip install -r requirements.txt is sufficient and expected.
Credentials
The skill requires a sensitive OAuth refresh token and honors QUESTRADE_PRACTICE and QUESTRADE_READ_ONLY env vars, but the registry metadata lists no required env vars or primary credential. The script also persists rotated refresh tokens in plaintext under the user's home directory (~/.openclaw), which is reasonable functionally but increases local credential exposure. The combination (sensitive creds required but not declared) is disproportionate to how the registry advertises the skill.
Persistence & Privilege
The skill does persist state: it writes rotated refresh tokens and an access-token cache under ~/.openclaw. It does not request global privileges or always:true. Persisting the token and cache is functionally reasonable for an API client, but users should note files are created in their home directory and are stored in plaintext.
What to consider before installing
This skill appears to implement the Questrade API correctly, but the registry metadata failed to declare the sensitive credentials it needs. Before installing: (1) only provide your Questrade refresh token if you trust the skill source — verify the owner and code. (2) Be aware the script will save rotated refresh tokens and an access-token cache to ~/.openclaw in plaintext; restrict those files' permissions (e.g., chmod 600) or keep them in a locked environment. (3) Prefer creating a read-only/token limited account if possible, and enable QUESTRADE_READ_ONLY to block orders. (4) Consider running the script in an isolated environment (container/VM) if you are unsure. (5) Ask the publisher to update the registry metadata to declare QUESTRADE_REFRESH_TOKEN as the primary credential and to document file-write behavior so automated systems can make an informed install decision.Like a lobster shell, security has layers — review code before you run it.
brokeragevk97f5dh79v1vrqgcbv5tyt8h0n829effcanadavk97f5dh79v1vrqgcbv5tyt8h0n829efflatestvk97f5dh79v1vrqgcbv5tyt8h0n829effmarket-datavk97f5dh79v1vrqgcbv5tyt8h0n829effportfoliovk97f5dh79v1vrqgcbv5tyt8h0n829effquestradevk97f5dh79v1vrqgcbv5tyt8h0n829effrrspvk97f5dh79v1vrqgcbv5tyt8h0n829effstocksvk97f5dh79v1vrqgcbv5tyt8h0n829efftfsavk97f5dh79v1vrqgcbv5tyt8h0n829eff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.