Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Moomoo Trading
v1.0.0Use OpenD-backed moomoo/Futu scripts for quotes, K-lines, price alerts, portfolio/account checks, and stock order execution. Triggers on moomoo, futu, OpenD,...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code files (quote, watchlist, portfolio, trade, setup_check) are consistent with the skill description: they interact with a local OpenD gateway and the futu/moomoo SDKs to fetch quotes and place or modify orders. Nothing in the bundle requires unrelated cloud credentials or unexpected system access.
Instruction Scope
SKILL.md and the scripts confine actions to OpenD and the futu/moomoo SDKs (connecting to a local host/port, querying market data, and placing/canceling/modifying orders). The instructions do not ask the agent to read unrelated files or exfiltrate data to external endpoints.
Install Mechanism
There is no install spec. The README recommends installing futu-api or moomoo-api via pip — expected for a Python SDK. No remote arbitrary downloads or archive extraction are present in the bundle.
Credentials
The runtime expects a live-trading unlock secret (default env var MOOMOO_UNLOCK_PASSWORD) and references environment variables in code and SKILL.md, but the skill metadata lists no required environment variables or primary credential. That's an incoherence: a secret is required for normal live operation but not declared in the registry metadata, which can lead to user confusion and accidental insecure handling of credentials.
Persistence & Privilege
always:false and no install spec means the skill does not request forced persistent inclusion. The scripts do not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement the trading and data features it advertises and uses a local OpenD gateway; however:
- The trade script expects a live-trading unlock password via the environment variable MOOMOO_UNLOCK_PASSWORD (or an alternate env var you pass). The skill metadata does not declare this env var — treat this as a missing metadata declaration, not a functional bug. Do not pass any trading password on the command line; use an env var as instructed.
- By default scripts run in simulated mode; explicit flags (--env real --confirm) are required for live orders. Only enable real trading when you intend to and after you verify the code and OpenD connection.
- Review the included Python files yourself (they are bundled) and ensure you trust the source before installing or running live operations. If you plan to use live trading, consider creating a dedicated account with limited permissions for automation and avoid storing the unlock password in shared or long-lived places.
- You will need to pip install futu-api or moomoo-api and run a local OpenD instance (127.0.0.1:11111 by default). Installing packages pulls code from PyPI — verify package sources and versions if supply-chain risk is a concern.
If the registry entry is intended to require the unlock password, ask the publisher to add that environment variable to the skill metadata so tool ecosystems can make the requirement explicit and reduce accidental insecure usage.Like a lobster shell, security has layers — review code before you run it.
latestvk975ctjcyr0evsxk0v5671c2md843qsh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.