ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tqsdk-test

v1.0.0

天勤量化 - 期货实时行情与历史数据接口,提供国内期货、期权的实时报价、K线序列与历史数据查询。

0· 104·0 current·0 all-time
byqingyi@qingyiyl

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for qingyiyl/tqsdk-test.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "tqsdk-test" (qingyiyl/tqsdk-test) from ClawHub.
Skill page: https://clawhub.ai/qingyiyl/tqsdk-test
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tqsdk-test

ClawHub CLI

Package manager switcher

npx clawhub@latest install tqsdk-test
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (handler, tqsdk_client.py) implements fetching real-time quotes, kline series and historical kline data via tqsdk, which aligns with the skill description. However, registry metadata lists no required env vars while SKILL.md/README/some manifests instruct use of TQ_USERNAME/TQ_PASSWORD; skill.yaml also declares username/password as required parameters — these mismatches are incoherent and could affect how credentials are supplied and stored.
!
Instruction Scope
Runtime instructions and the handler read credentials from environment variables (TQ_USERNAME, TQ_PASSWORD) and then call the tqsdk library (network I/O to the provider). That scope is appropriate for the stated purpose, but SKILL.md/README/skill.yaml disagree about whether credentials are env vars or invocation parameters. If the platform treats the declared parameters (skill.yaml) as stored/visible fields, credentials could be exposed unintentionally. No other unrelated files, system paths, or external endpoints are referenced.
Install Mechanism
There is no install spec even though requirements.txt lists tqsdk and pandas. Because install steps are not declared, it's unclear whether or how dependencies will be installed in the runtime. That is a packaging inconsistency (not directly malicious) but can break execution or cause the platform to auto-install packages without explicit instruction.
!
Credentials
Only a tqsdk username and password are needed for functionality, which is proportionate. However, the repository/manifest contradictions are problematic: registry metadata claims no required env vars, SKILL.md and README instruct setting TQ_USERNAME/TQ_PASSWORD, while skill.yaml declares username/password as required parameters. This mismatch risks exposing credentials (parameters may be stored in logs/UI) or causing the skill to fail if the platform supplies credentials differently.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It runs only when invoked and does not request elevated/persistent platform privileges.
What to consider before installing
This skill's code implements the described tqsdk features and only needs your tqsdk username/password, but the package has inconsistent metadata about how credentials and dependencies are supplied. Before installing: 1) Ask the author which method will be used at runtime — environment variables (TQ_USERNAME/TQ_PASSWORD) or invocation parameters — and whether the platform will store parameter values securely. 2) Prefer setting credentials as environment/secret-config (not as plain text parameters) so they are not stored in invocation logs or UI fields. 3) Confirm how/if the platform will install requirements.txt packages (tqsdk, pandas) and whether you accept that behavior. 4) Test with a throwaway or limited-permission account first. 5) Note there is a minor coding issue (undefined Union import in tqsdk_client.py) which may cause runtime errors; request an updated package from the author. If you cannot verify how the platform will handle credential storage or dependency installation, treat the skill as higher risk and avoid providing your primary account credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8vb81xxy5mc258d4xv2x4983xjvw
104downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
qingyi@qingyiyl
latest
Download

天勤量化技能

该技能提供天勤量化接口的访问,支持获取期货实时行情、K线序列及历史数据。

使用示例

/tqsdk-read get_quote SHFE.rb2410 /tqsdk-read get_kline_serial SHFE.rb2410 --duration_seconds 300 --data_length 50 /tqsdk-read get_kline_data SHFE.rb2410 --duration_seconds 3600 --start_dt 2024-01-01T09:00:00 --end_dt 2024-01-31T15:00:00

环境变量配置

本技能通过环境变量读取天勤账号,请在使用前设置:

  • TQ_USERNAME:天勤用户名(注册于官网)
  • TQ_PASSWORD:天勤密码

在 ClawHub 中,可在技能设置页面或通过环境变量文件配置。

注意事项

  • 历史K线查询(get_kline_data)需要天勤专业版账号权限。
  • 实时行情和K线序列(get_quote, get_kline_serial)基础版账号即可使用。
  • 合约代码格式:交易所.合约代码,如 SHFE.rb2410DCE.m2409CFFEX.IF2406
  • 多合约操作时,symbol 参数用逗号分隔(仅支持 get_quoteget_kline_serial)。
  • K线周期常用值:60(1分钟)、300(5分钟)、900(15分钟)、3600(1小时)、86400(日线)。

常见问题

Q: 提示“天勤认证失败”怎么办?
A: 请检查环境变量 TQ_USERNAMETQ_PASSWORD 是否正确,并确保账户已激活。

Q: 历史K线接口报错?
A: 确认您拥有天勤专业版账号,且时间范围有效(K线数量不超过限制)。

Comments

Loading comments...