tigeropen-go

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt's Quick Start shows and encourages placing credentials (e.g., WithPrivateKey("your_rsa_private_key"), WithTigerID(...)) as string literals in generated code, which directs the agent to embed secret values verbatim and is therefore insecure.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is an SDK specifically designed for trading with Tiger Brokers (Tiger Open API). It explicitly documents and exposes trading and account-management operations: placing/modifying/canceling orders, querying positions/assets, fund transfer (deposit/withdrawal), and real-time order/position push subscriptions. The Quick Start and references show clients for trade actions (trade.NewTradeClient) and order operations. This is a purpose-built financial execution tool (including live trading capability, albeit with a paper-trading default), so it grants direct financial execution capability.