Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tqsdk-test
v1.0.0天勤量化 - 期货实时行情与历史数据接口,提供国内期货、期权的实时报价、K线序列与历史数据查询。
⭐ 0· 74·0 current·0 all-time
byqingyi@qingyiyl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (handler, tqsdk_client.py) implements fetching real-time quotes, kline series and historical kline data via tqsdk, which aligns with the skill description. However, registry metadata lists no required env vars while SKILL.md/README/some manifests instruct use of TQ_USERNAME/TQ_PASSWORD; skill.yaml also declares username/password as required parameters — these mismatches are incoherent and could affect how credentials are supplied and stored.
Instruction Scope
Runtime instructions and the handler read credentials from environment variables (TQ_USERNAME, TQ_PASSWORD) and then call the tqsdk library (network I/O to the provider). That scope is appropriate for the stated purpose, but SKILL.md/README/skill.yaml disagree about whether credentials are env vars or invocation parameters. If the platform treats the declared parameters (skill.yaml) as stored/visible fields, credentials could be exposed unintentionally. No other unrelated files, system paths, or external endpoints are referenced.
Install Mechanism
There is no install spec even though requirements.txt lists tqsdk and pandas. Because install steps are not declared, it's unclear whether or how dependencies will be installed in the runtime. That is a packaging inconsistency (not directly malicious) but can break execution or cause the platform to auto-install packages without explicit instruction.
Credentials
Only a tqsdk username and password are needed for functionality, which is proportionate. However, the repository/manifest contradictions are problematic: registry metadata claims no required env vars, SKILL.md and README instruct setting TQ_USERNAME/TQ_PASSWORD, while skill.yaml declares username/password as required parameters. This mismatch risks exposing credentials (parameters may be stored in logs/UI) or causing the skill to fail if the platform supplies credentials differently.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It runs only when invoked and does not request elevated/persistent platform privileges.
What to consider before installing
This skill's code implements the described tqsdk features and only needs your tqsdk username/password, but the package has inconsistent metadata about how credentials and dependencies are supplied. Before installing: 1) Ask the author which method will be used at runtime — environment variables (TQ_USERNAME/TQ_PASSWORD) or invocation parameters — and whether the platform will store parameter values securely. 2) Prefer setting credentials as environment/secret-config (not as plain text parameters) so they are not stored in invocation logs or UI fields. 3) Confirm how/if the platform will install requirements.txt packages (tqsdk, pandas) and whether you accept that behavior. 4) Test with a throwaway or limited-permission account first. 5) Note there is a minor coding issue (undefined Union import in tqsdk_client.py) which may cause runtime errors; request an updated package from the author. If you cannot verify how the platform will handle credential storage or dependency installation, treat the skill as higher risk and avoid providing your primary account credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97c8vb81xxy5mc258d4xv2x4983xjvw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.