Is ajtgjmdjp/jquants-mcp safe?
https://github.com/openclaw/skills/tree/main/skills/ajtgjmdjp/jquants-mcp
The jquants-mcp skill is a two-file documentation wrapper (SKILL.md + _meta.json) with no embedded executable code, no prompt injection, and a clean install that contacted only GitHub. Canary files were read but only by the audit framework's own pre/post-install verification sweeps, not by the skill. The primary residual risk is the unaudited PyPI package jquants-mcp, which will receive access to the user's J-Quants credentials at runtime and whose source was not inspected in this audit.
Category Scores
Findings (4)
MEDIUM Runtime dependency on unaudited PyPI package -18 ▶
The skill declares jquants-mcp as a uv-installed binary. The PyPI package is not bundled in the skill repository and was not fetched or inspected during this sandbox audit. At user install time, arbitrary Python code from that package will execute with access to the declared JQUANTS_MAIL_ADDRESS and JQUANTS_PASSWORD environment variables.
LOW Canary files read during audit window -13 ▶
Filesystem monitoring captured OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points. Both windows are temporally attributable to the audit framework (pre-install baseline at 04:49:43 and post-install verification at 04:50:05), not the skill install process itself. Files were not modified and canary integrity passed.
LOW Credential exposure surface at runtime -21 ▶
The skill's stated operation requires authenticating to the J-Quants API using user email and password via environment variables. This is standard for MCP finance tools but creates a credential exposure surface if the backing binary is compromised or updated maliciously post-install.
INFO Large data transfer during git clone 0 ▶
~500KB+ of TCP payload observed to 140.82.121.4:443 during install. This is consistent with a shallow clone of the openclaw/skills monorepo and poses no concern.