ClawHub

longbridge

v1.0.2

长桥 LongPort OpenAPI CLI 工具,提供股票行情查询、账户持仓、订单管理、市场数据四大功能。 当用户提到"长桥"、"LongPort"、"longbridge",或要求查看股票报价、实时行情、K线、盘口、 逐笔成交、账户余额、持仓、基金持仓、下单、买入、卖出、撤单、今日订单、历史订单、 资金流向...

1· 571·2 current·2 all-time
by@frankxiong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (market quotes, account, orders, market data) align with the included Python CLI code and the LongPort SDK usage. Requested env vars (LONGBRIDGE_APP_KEY, LONGBRIDGE_APP_SECRET, LONGBRIDGE_ACCESS_TOKEN) match the documented API auth requirements.
Instruction Scope
SKILL.md instructs the agent to load .env files, set environment variables, install/run the CLI, and run specific longbridge commands. The instructions only access .env files in the current/home directory and the declared env vars; they do not instruct reading unrelated system files or sending data to unexpected external endpoints.
Install Mechanism
No formal install spec is declared in registry metadata, but SKILL.md instructs using the local 'uv tool install "$SKILL_DIR"' to install the package and the bundle includes pyproject/requirements. Dependencies (longbridge, click, rich) are standard PyPI packages. This is reasonable but the absence of a registry install spec while shipping package files is an inconsistency to be aware of.
Credentials
Only LongPort-related credentials and an optional LONGBRIDGE_TRADE_ENABLED flag are requested. The number and type of env vars are proportional to a trading/quote CLI. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
Skill is not marked always:true and does not request elevated system-wide privileges. It may be installed into the user's environment via the uv tool (per SKILL.md), which is expected for a CLI package; it does not modify other skills or global agent settings.
Assessment
This skill appears to be a legitimate LongPort (长桥) CLI wrapper: it needs your LongPort API credentials and will use them to call the LongPort Python SDK. Before installing, confirm you obtained those credentials from the official LongPort site. Note the SKILL.md tells you to run 'uv tool install "$SKILL_DIR"' to install the included Python package and dependencies from PyPI — verify you trust the 'uv' installer and that the PyPI package 'longbridge' is legitimate. Trading commands are disabled by default (LONGBRIDGE_TRADE_ENABLED must be set to true) and the CLI prompts for confirmation; when automating, be careful with the --yes flag because it will skip confirmations and submit real orders. Finally, there is a minor metadata inconsistency: the registry lists no install spec while the skill bundle contains code and packaging files — this is not a security red flag by itself but worth noting.

Like a lobster shell, security has layers — review code before you run it.

latestvk977v9crcq5s1t9ynqctnzq7nx83vpns

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSmacOS · Linux
Binspython3, uv
EnvLONGBRIDGE_APP_KEY, LONGBRIDGE_APP_SECRET, LONGBRIDGE_ACCESS_TOKEN

Comments