TGA Analyze
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned, but it requires TGA login cookies and stores an access token while the registry metadata does not declare those credentials.
Install only if you are comfortable storing TGA credentials/cookies and a reusable token in the skill directory. Use a limited account if possible, protect the .env and .tga-token files, delete or rotate them after use, and verify local Node/Python tooling before running the download and analysis workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing this skill may be giving the agent access to a TGA account session and downloaded report data.
The skill requires account login material and browser cookie/session data, then stores a reusable token locally. The registry metadata says there are no required env vars and no primary credential, so this high-impact authority is under-declared outside the instructions.
凭证来自skill中的 `.env`,token 缓存在本技能所在目录下。 ... `TGA_LOGIN_NAME` ... `TGA_ENCRYPTED_PASSWORD` ... `TGA_COOKIES`: **必填** ... 从开发者工具或浏览器复制完整 cookie 字符串
Declare the credential requirements in metadata, use least-privilege credentials if available, store tokens with restrictive permissions, and provide clear cleanup/rotation instructions.
The skill may fail or behave differently depending on the local Node, unzip, Python, and pandas environment.
The skill is marked as having no install spec or required binaries, but its documented workflow depends on local command execution and local analysis tools. This is expected for the purpose, but users should know the runtime requirements.
node ~/.agents/skills/tga-analyze/scripts/tga.js login ... 使用 `unzip` ... 用 Python 的 `pandas.read_excel` 逐个读取
List required binaries and Python dependencies in metadata or setup instructions, and review the included script before running it with credentials.
Running the script can create local credential and report files and contact the TGA service using the configured account session.
The Node script performs network requests and local file writes, including token caching and report download. This matches the advertised TGA download purpose, but it is sensitive because it runs locally with account credentials.
fs.writeFileSync(TOKEN_PATH, JSON.stringify({ token }, null, 0), 'utf8'); ... const downloadPath = `/v1/ta/auth/manage/task/taskFileDownload?access_token=${encodeURIComponent(token)}&projectId=${projectId}&taskId=${taskId}`;Run it only in a trusted workspace, keep the skill directory private, and remove .env/.tga-token when access is no longer needed.