ClawHub

Futu Trading Bot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Futu trading assistant, but it can unlock accounts, place or change real-money orders, cancel all orders, and run background strategy processes without strong built-in confirmation controls.

Install only if you intentionally want an agent to interact with Futu OpenD and brokerage trading. Keep SIMULATE as the default until thoroughly tested, avoid plaintext trade passwords, protect config and account_info.json, and require explicit human approval before unlocking REAL trading, placing orders, modifying orders, or using cancel_all_orders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code persists retrieved account information to a local JSON file on every query, creating an unnecessary at-rest copy of sensitive brokerage metadata such as account IDs, firm, account status, and trading environment. In an LLM-accessible trading skill, this expands the data exposure surface beyond the immediate workflow and may leak sensitive financial information to other local users, processes, backups, or logs.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The module exposes an interactive stdin password prompt for unlocking trading, which is not appropriate for an automation- or LLM-facing skill and can encourage unsafe credential handling paths. It bypasses clearer consent and secret-management patterns, and in some hosting setups may cause the operator to enter a live trading password into an unexpected or captured channel.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module exposes a bulk destructive operation, cancel_all_orders, that can revoke all open orders for an account with a simple call. In an agent skill context, this materially increases blast radius because a mistaken prompt, ambiguous instruction, or prompt-injection chain could trigger widespread irreversible trading disruption rather than a single scoped action.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring claims only a single safe external function is exposed, but the file also exports modify, cancel, and bulk-cancel functions. This mismatch can mislead reviewers, orchestrators, or calling agents into granting broader trust than warranted, increasing the chance that destructive capabilities are invoked without appropriate safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes natural-language trade unlocking and order placement, including support for REAL trading, but does not provide a prominent warning about irreversible financial consequences, confirmation requirements, or the risk of ambiguous agent interpretation. In an agent-integrated trading skill, this omission increases the chance that a user or autonomous workflow executes unintended real-money trades or unlocks a live account without understanding the risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation guidance is very broad and maps common natural-language finance requests directly to market data, account, and trading operations. Without stricter boundaries and confirmation requirements, an agent could invoke sensitive functionality too readily, increasing the chance of unintended trading or account actions from ambiguous prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation tells the agent to write scripts, start background processes, monitor them, and kill them, but does not require an explicit user-facing warning or confirmation before these system-impacting steps. In practice, this enables durable execution and process control on the host, which is materially more dangerous than ordinary quote retrieval or one-shot API calls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that account information is written to a local JSON file on every call, but the warning is minimal and does not clearly communicate persistence, overwrite behavior, retention, or access-control expectations for potentially sensitive brokerage account metadata. In a trading-bot context, local persistence of account identifiers and status can increase exposure to unauthorized local users, accidental inclusion in backups/repos, or downstream misuse by other tools reading the file.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Writing account data to a local JSON file without warning or confirmation creates a stealthy persistence side effect for sensitive brokerage information. Users may believe they are only querying account details, while the skill silently leaves recoverable financial metadata on disk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The unlock/lock helper functions automatically load trading credentials from configuration and can perform sensitive account state changes without an explicit warning or fresh confirmation. In the context of an LLM-accessible trading bot, this materially increases the risk of unintended or unauthorized trade unlocking if the function is invoked by mistake or via prompt-driven misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill allows REAL-money order placement directly from function parameters without any explicit confirmation, user-presence check, or irreversible-action warning. In an autonomous or semi-autonomous agent setting, this is highly dangerous because prompt confusion, tool misuse, or prompt injection can turn natural-language text into actual financial trades with immediate monetary loss.

Missing User Warnings

High
Confidence
97% confidence
Finding
Order modification and cancellation are destructive account actions, yet the exported functions accept direct parameters and execute without explicit confirmation or user warning. In a trading agent context, accidental or adversarial invocation could cancel protective orders or alter live positions, creating significant financial and operational risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal