Tiger Trading
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated Tiger brokerage purpose, but it can place or cancel stock trades using a private key without documented confirmation, limits, or strong credential safeguards.
Only use this skill if you intend the agent to access a Tiger brokerage account. Start with the TBNZ/sandbox environment, do not provide real private-key material casually, verify the tigeropen dependency, and require explicit confirmation before any real order or cancellation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a real account, an incorrect or premature agent action could buy or sell securities with real financial consequences.
The code constructs and submits a brokerage order directly when place_order is called. The provided artifacts do not show a required user confirmation step, trade-size/value limits, or a dry-run mode before this high-impact action.
tiger_order = Order(... action=side.upper(), order_type=order_type, quantity=quantity, limit_price=price) result = client.place_order(tiger_order)
Require explicit user confirmation for every order and cancellation, showing account, symbol, side, quantity, order type, and price; add sandbox/dry-run defaults and configurable order limits.
Anyone who gains access to the private key and account details could potentially access the brokerage account according to that key's permissions.
The CLI accepts a Tiger private key path or literal private key content. This is purpose-aligned for brokerage authentication, but the key is highly sensitive and literal command-line use can expose it through shell history or process listings.
parser.add_argument('--private-key', required=True, help='私钥路径或内容')Prefer a protected key file or secret manager over pasting private key content, use sandbox credentials first, and restrict real-account credentials to the minimum permissions needed.
Users may need to install an external package whose exact version and source are not documented in the skill artifacts.
The skill depends on the external tigeropen Python package, but the supplied artifacts include no install spec or pinned dependency version.
from tigeropen.tiger_open_config import TigerOpenClientConfig from tigeropen.trade.trade_client import TradeClient
Install only the official Tiger Open SDK from a trusted source, pin the version, and review dependency installation before using real brokerage credentials.