Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LongPort Quant Trader (房总版)
v1.0.0长桥证券量化交易集成 - 自动超跌/动量策略 + 飞书推送 + 绩效跟踪。支持港股/美股自动交易,每 5 分钟监控,止盈止损管理。适用于想要自动化交易的个人投资者和量化爱好者。
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (LongPort quantitative trader) align with required binaries (python3), required env vars (LONGPORT_APP_KEY, LONGPORT_APP_SECRET, LONGPORT_ACCESS_TOKEN), and the included Python code which calls longport.openapi for market data and order submission.
Instruction Scope
The SKILL.md instructs typical setup steps (pip install longport, set env vars, run quant_monitor.py). Runtime code legitimately reads env vars, queries quotes, and submits orders. Note: multiple scripts persist state to /tmp (e.g., /tmp/auto_trade_state.json, /tmp/auto_trade_performance.json) and write logs (logs/quant_monitor.log) — expected for a trading bot but worth being aware of because these files hold trading state and should be protected.
Install Mechanism
Install spec only ensures python3 via Homebrew (python@3.12) which is reasonable. The README/SKILL.md also instructs pip installing third-party packages (longport, python-dotenv) but that pip install is not encoded in the install spec — it's a normal omission but means the environment must run pip to install dependencies before use.
Credentials
Only LongPort API credentials are required (LONGPORT_APP_KEY, LONGPORT_APP_SECRET, LONGPORT_ACCESS_TOKEN), which are directly relevant. Optional Feishu webhook config is documented but not required. No unrelated tokens or high-privilege credentials are requested.
Persistence & Privilege
Skill is not always-enabled and uses normal agent invocation. It stores state and performance data to local files under /tmp and logs; it does not request or modify other skills or system-level configurations. This persistence is typical for a trading bot.
Assessment
This skill is coherent for automated trading, but granting it your LongPort API credentials permits live order submission — treat them like real-money keys. Before using in production: 1) Test thoroughly on the provider's sandbox/simulated account (use a sandbox access token if available). 2) Review and run the code in an isolated environment (dedicated machine/container) to protect keys and state files. 3) Keep secrets out of source control (.env and shell rc files), rotate keys if exposed, and consider creating a LongPort token/account scoped to limited permissions if the platform supports it. 4) Be aware the bot persists state and logs (/tmp and logs/...), so secure or clean those files if needed. 5) If you don't trust the publisher, inspect all scripts (especially those that send data externally) before providing credentials.Like a lobster shell, security has layers — review code before you run it.
automationvk97aqhdp1063graey6ff3twjdh83fyckhkstockvk97aqhdp1063graey6ff3twjdh83fycklatestvk97aqhdp1063graey6ff3twjdh83fycklongportvk97aqhdp1063graey6ff3twjdh83fyckquantvk97aqhdp1063graey6ff3twjdh83fycktradingvk97aqhdp1063graey6ff3twjdh83fyck
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
Binspython3
EnvLONGPORT_APP_KEY, LONGPORT_APP_SECRET, LONGPORT_ACCESS_TOKEN
Install
Install Python 3.12
Bins: python3
brew install python@3.12