FW-trading
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real brokerage trading integration, but it handles high-impact financial credentials and trading actions from an unknown source, with inconsistent option-trading instructions that users should review carefully.
Install only if you can verify this skill is from a trusted Fosun Wealth source. Before use, audit the bundled scripts, protect fosun.env and MEMORY.md, use limited or dedicated API credentials if available, require manual confirmation for every trade/order change, and avoid all option-related commands until the conflicting documentation is resolved.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may grant sensitive trading credentials to a package whose publisher and source cannot be independently verified from the registry metadata.
The skill asks for brokerage credentials and can perform real trading actions, but the registry provides no source or homepage to verify the claimed official provenance.
Source: unknown; Homepage: none; Description: ... Fosun Wealth ... 官方 OpenAPI 技能集合
Verify the publisher through Fosun Wealth or another trusted channel before installation, and audit the bundled scripts before providing real API credentials.
The agent or user could be confused into attempting unsupported option-related actions despite the top-level prohibition.
The top-level skill forbids option scripts and parameters, while the order documentation advertises option orders and includes option-order parameters, creating unclear scope for a high-risk trading feature.
SKILL.md: "当前版本不支持期权...请勿使用任何期权相关脚本或参数" vs fosun-orders.md: "支持下单(普通单/条件单/跟踪止损/止盈止损/期权单)"
Do not use option features until the maintainer removes the conflicting documentation or adds clear runtime blocking and consistent instructions.
If used correctly, the user should be asked before real trades or order changes; if those instructions are ignored, real money and positions could be affected.
The skill exposes order placement, cancellation, and modification workflows, but it also documents explicit user-confirmation requirements before high-impact actions.
下单前必须与用户二次确认...禁止直接执行下单命令...等待用户明确确认后才能执行; 撤单前必须与用户二次确认
Require a clear manual confirmation for every order, cancellation, or modification, and prefer check-only validation before placing trades.
Providing these values may allow the skill to access brokerage account data and submit account actions through the API.
These credentials and device identifiers are expected for the Fosun OpenAPI integration, but they provide sensitive account/API authority.
requires: env: - FSOPENAPI_API_KEY - FSOPENAPI_CLIENT_PRIVATE_KEY - FSOPENAPI_SERVER_PUBLIC_KEY - FSOPENAPI_BASE_URL - FSOPENAPI_MAC_ID
Use only credentials intended for this integration, keep them out of shared workspaces and source control, and revoke or rotate them if the skill is removed or no longer trusted.
A modified memory entry or exposed local state could cause the agent to use the wrong environment or reveal sensitive authorization status.
The skill relies on persistent local memory/state for the virtual environment path and credential status; this is disclosed, but stale or tampered state could affect later executions.
读取 `MEMORY.md` 中 `Fosun SDK` 记录的虚拟环境路径; `FSOPENAPI_API_KEY_STATUS` / `FSOPENAPI_TICKET_STATUS` — 本地状态缓存
Protect fosun.env and MEMORY.md, verify the virtual environment path before trading, and avoid committing these files to repositories.
A user could accidentally leave a market-data subscription running if they choose an unbounded duration.
The market push script can maintain a long-lived WebSocket connection if explicitly requested, but the default is time-bounded and the behavior is documented.
默认订阅 30 秒后退出;`--duration 0` 表示常驻
Use finite durations unless a persistent stream is intentionally needed, and stop long-running subscriptions when finished.