Longbridge Openapi
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: longbridge-openapi Version: 1.0.3 The longbridge-openapi skill bundle is a comprehensive financial analysis and account management tool wrapping the Longbridge Securities platform. It provides extensive capabilities for market data retrieval, fundamental analysis, and portfolio management via the 'longbridge' CLI and MCP. For high-risk operations such as recurring investment plans (DCA) and account mutations, it enforces a strict 'preview-then-confirm' protocol to ensure user consent. The instructions prioritize data privacy, include mandatory financial disclaimers, and employ safe coding practices like using temporary files for JSON parsing to mitigate shell-related risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms the wrong action, the agent could change watchlists, create alerts, or set up investment automation through Longbridge.
The skill includes tools that can mutate brokerage-side settings or investment plans, which is high-impact but directly related to its stated finance/trading purpose.
watchlist read + admin, price alerts, recurring DCA plans
Only approve mutation previews after checking the exact symbol, account, amount, frequency, and action; avoid broad or ambiguous confirmations.
The skill may be able to view brokerage account information and, where trade scope is granted, perform account-related operations after confirmation.
The skill may use OAuth tokens, app secrets, and trade-scope login for Longbridge account access. This is expected for the integration, but the permissions are sensitive.
LONGBRIDGE_APP_SECRET ... LONGBRIDGE_ACCESS_TOKEN ... Sections marked 🔒 require trade-scope login.
Use the least-privileged Longbridge login available, keep tokens out of shared environments, and revoke or rotate credentials if no longer needed.
Security depends on the `longbridge` binary installed on the user’s system.
The reviewed artifact does not include runnable code or an install recipe, so the actual `longbridge` CLI implementation and provenance are outside this review.
Source: unknown ... Required binaries (at least one): longbridge ... No install spec — this is an instruction-only skill.
Install the Longbridge CLI only from official Longbridge sources, verify the binary/version, and avoid using untrusted wrappers.
A confirmed alert or DCA plan may continue to operate until the user changes or cancels it in Longbridge.
Alerts and recurring investment plans can persist after the current chat. The artifact discloses this capability, so this is a persistence note rather than hidden behavior.
price alerts, and recurring DCA plans
Set explicit limits and review active alerts or recurring plans periodically in the Longbridge account.