TickFlow Data
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward market-data SDK instruction skill, but users should review the dependency installation steps and protect their TickFlow API key.
Before installing, confirm you trust the TickFlow SDK and uv installer, preferably use an isolated Python workspace, and keep your TickFlow API key out of shared files or source control.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the environment will execute installer/package code from external sources, so a compromised installer or dependency could affect the local Python environment.
The setup instructions ask the user to run a remote installer and install a Python package using a version range. This is purpose-aligned for using the TickFlow SDK, but it depends on trusted external sources.
curl -LsSf https://astral.sh/uv/install.sh | sh ... dependencies = ["tickflow[all]>=0.1.17"] ... uv sync
Verify the uv installer URL and TickFlow package source, consider pinning exact dependency versions or using a lockfile, and run the SDK in an isolated project environment.
Processes run in that shell environment may be able to use the TickFlow API key, which could expose account access or usage quota if mishandled.
The artifact discloses that full TickFlow service access uses an API key read from the environment and suggests optionally persisting it in a shell profile.
export TICKFLOW_API_KEY="your-api-key" ... echo 'export TICKFLOW_API_KEY="your-api-key"' >> ~/.zshrc ... tf = TickFlow()
Store the API key securely, avoid committing shell profiles or scripts containing the key, use the least-privileged key available, and rotate the key if it may have been exposed.