TGA Analyze
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: tga-analyze Version: 1.0.0 The skill is a specialized automation tool designed to download and analyze reports from the TGA (Hortor Games) analytics platform. It uses a Node.js script (scripts/tga.js) to manage authentication and file downloads via HTTPS, and provides instructions in SKILL.md for the agent to process the resulting data using standard utilities like unzip and pandas. While the skill requires sensitive credentials (cookies and passwords) to be stored in a local .env file, the script logic is transparent, restricts credential transmission to the target domain (tga-web.hortorgames.com), and lacks any indicators of data exfiltration, persistence, or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing this skill may be giving the agent access to a TGA account session and downloaded report data.
The skill requires account login material and browser cookie/session data, then stores a reusable token locally. The registry metadata says there are no required env vars and no primary credential, so this high-impact authority is under-declared outside the instructions.
凭证来自skill中的 `.env`,token 缓存在本技能所在目录下。 ... `TGA_LOGIN_NAME` ... `TGA_ENCRYPTED_PASSWORD` ... `TGA_COOKIES`: **必填** ... 从开发者工具或浏览器复制完整 cookie 字符串
Declare the credential requirements in metadata, use least-privilege credentials if available, store tokens with restrictive permissions, and provide clear cleanup/rotation instructions.
The skill may fail or behave differently depending on the local Node, unzip, Python, and pandas environment.
The skill is marked as having no install spec or required binaries, but its documented workflow depends on local command execution and local analysis tools. This is expected for the purpose, but users should know the runtime requirements.
node ~/.agents/skills/tga-analyze/scripts/tga.js login ... 使用 `unzip` ... 用 Python 的 `pandas.read_excel` 逐个读取
List required binaries and Python dependencies in metadata or setup instructions, and review the included script before running it with credentials.
Running the script can create local credential and report files and contact the TGA service using the configured account session.
The Node script performs network requests and local file writes, including token caching and report download. This matches the advertised TGA download purpose, but it is sensitive because it runs locally with account credentials.
fs.writeFileSync(TOKEN_PATH, JSON.stringify({ token }, null, 0), 'utf8'); ... const downloadPath = `/v1/ta/auth/manage/task/taskFileDownload?access_token=${encodeURIComponent(token)}&projectId=${projectId}&taskId=${taskId}`;Run it only in a trusted workspace, keep the skill directory private, and remove .env/.tga-token when access is no longer needed.