Questrade
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a coherent Questrade integration, but it can use brokerage credentials for high-impact trading actions and documents a no-confirmation mode, so it should be reviewed carefully before use.
Install only if you trust this skill with your Questrade account. Keep read-only mode enabled, avoid --force, require explicit confirmation before any order or cancellation, and protect or revoke the local token files if your device is shared or compromised.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a token with partner trading permissions is used and read-only mode is disabled, an agent could place buy/sell orders without a final human confirmation, causing financial loss or unwanted trades.
The skill exposes a brokerage trade-submission path and explicitly documents a mode that bypasses the normal confirmation prompts.
### Place Order *(partner API access required)* ... # Skip confirmation prompts ... `--force` ... Use `--force` to skip all prompts (automated use only)
Keep QUESTRADE_READ_ONLY=true unless trading is intentionally needed, do not allow the agent to use --force by default, and require explicit human confirmation of account, side, symbol, quantity, order type, and price before any order or cancellation.
Anyone who can read these local files may be able to access brokerage data, and possibly trading capabilities if the token has partner permissions.
The script stores and reuses Questrade refresh/access tokens locally, which is expected for OAuth token rotation but grants sensitive brokerage account access.
CREDENTIALS_FILE = Path.home() / ".openclaw" / "credentials" / "questrade.json" TOKEN_CACHE_FILE = Path.home() / ".openclaw" / "data" / "questrade-token-cache.json"
Use a practice or read-only token when possible, protect the local credential files, avoid shared machines, and revoke/regenerate the Questrade token if the files may have been exposed.
Users have less external context for verifying who maintains the skill or whether updates are trustworthy.
For a skill that handles brokerage credentials, the absence of a source repository or homepage reduces provenance and maintenance transparency, even though the included artifacts are coherent and the static scan is clean.
Source: unknown Homepage: none
Review the included files before use, install dependencies in a controlled environment, and prefer a publisher/source you trust for financial-account integrations.