longbridge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed LongPort brokerage CLI, but it can use your account credentials to place trades and its instructions encourage AI agents to skip order confirmations for programmatic calls.
Install only if you want an agent to access LongPort account data. Keep trading disabled unless needed, do not permit --yes for orders without explicit approval of exact trade details, and store API credentials securely.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If trading is enabled, an agent could submit real buy or sell orders without a separate interactive confirmation prompt.
The skill directly recommends a no-confirmation mode for AI programmatic use of buy/sell order commands, which are high-impact brokerage actions.
跳过确认提示(AI Agent 程序化调用时推荐加 --yes); longbridge buy AAPL.US --qty 100 --price 180.0 --yes
Keep LONGBRIDGE_TRADE_ENABLED unset or false by default, and only allow --yes after you explicitly approve the exact account/profile, symbol, side, quantity, and price.
Installing and configuring the skill gives the agent access to private brokerage account data, and potentially trading authority if the token and trade flag allow it.
The skill requires LongBridge API credentials to access account balances, positions, orders, and optionally trading; this is purpose-aligned but sensitive.
export LONGBRIDGE_APP_KEY="your_app_key"; export LONGBRIDGE_APP_SECRET="your_app_secret"; export LONGBRIDGE_ACCESS_TOKEN="your_access_token"
Use the least-privileged LongBridge credentials available, prefer read-only access when possible, and avoid enabling trading except for deliberate trading sessions.
A future dependency version could change behavior from what was reviewed here.
The package install resolves unpinned or minimum-version Python dependencies, which is normal for many CLIs but reduces reproducibility.
dependencies = [ "longbridge", "click>=8.0", "rich>=13.0" ]
Install from a trusted copy of the skill and consider pinning or locking dependencies before using it with live brokerage credentials.