tigeropen-java

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The quickstart snippet explicitly sets clientConfig.privateKey and other IDs as string literals (e.g., clientConfig.privateKey = "your_private_key_content"), which encourages embedding secrets verbatim in generated code/outputs and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading SDK for Tiger Brokers with built-in APIs for market data, placing/modifying/cancelling orders, account management and fund transfers. The documentation and references (e.g., "Place orders (market/limit/stop/algo), order management, contracts, assets, positions, fund transfers" and the trading-focused Quickstart with client/privateKey setup) show the primary purpose is to execute financial transactions. It even warns about defaulting to paper vs. live trading, which implies it can perform real-money orders. This is a specific financial execution tool, not a generic interface.