tigeropen-typescript

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The quickstart explicitly shows placing a privateKey (and other credentials) directly into createClientConfig, which encourages embedding real secret values into generated code/commands and therefore could require the model to output secrets verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an SDK specifically for Tiger Brokers OpenAPI with explicit trading capabilities: it documents TradeClient usage, placing/modifying/canceling orders, checking positions/assets, and real-time order/position push. The prompt even warns about real vs. paper trading and instructs confirming live orders. These are direct financial execution functions (placing market/trade orders), not generic tooling. Therefore it meets the "Direct Financial Execution" criteria.