Futu Trading Bot
Analysis
This appears to be a real Futu trading helper, but it can unlock accounts and place real trades without clearly declared credentials, confirmation gates, or safety limits.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
When the user expresses any of these intents, you should use the encapsulated functions provided in this skill ... Never call Futu SDK functions directly – always go through the skill's API.
This explicitly steers agent tool selection toward the skill for broad trading-related intents. It is disclosed and safety-oriented, but it affects how the agent chooses tools.
`submit_order(...)`; `modify_order(...)`; `cancel_order(...)`; `cancel_all_orders(...)` ... `REAL` 环境会尝试真实交易,请先确认交易权限状态。
The skill exposes tools that can place, modify, and cancel broker orders, including real-money trading. The artifacts do not define a required approval gate, maximum order size, loss limit, or rollback boundary.
dependencies = [ "futu-api", "pydantic>=2,<3", ]
The broker SDK dependency is unpinned, and the registry source/homepage are absent. For a real-trading skill, changing dependency versions can materially change behavior.
设计原则 ... 不做幂等去重校验。
The trade service explicitly does not de-duplicate requests. In a trading workflow or long-running strategy, repeated agent calls can create duplicate or cascading financial actions.
it accurately translates vague intents—such as "buy 200 shares of Tencent" or "close half of my positions"—into execution actions that comply with financial standards.
This strong assurance could make users over-trust natural-language trading execution, while the artifacts do not show formal financial compliance controls or mandatory confirmations.
`run_strategy(...)` 职责只包括:PID 文件管理; 防重复启动; `SIGINT` / `SIGTERM` 清理; 保持进程运行
The skill supports long-running strategies with PID management. This is disclosed and purpose-aligned, but it can continue operating until stopped.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
metadata: `Primary credential: none`; SKILL.md: `Configure credentials` and `Edit json/config.json with your Futu credentials`.
The registry declares no primary credential, but the skill asks for Futu credentials and supports trading-password unlock. That under-declares sensitive account authority.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
`json/config.json` 不应入库,需加入 `.gitignore`。使用最小权限:`chmod 600 json/config.json`。不在日志中输出真实密码或 MD5 值。
The skill persists and reuses local configuration containing trading credentials and broker connection settings. The docs warn about protection, so this is disclosed, but it is sensitive persistent state.
"host": "127.0.0.1", "port": 11111, "security_firm": "FUTUSECURITIES"
The skill communicates with a configured Futu OpenD brokerage gateway. The default is localhost, which is purpose-aligned, but users can change the endpoint and should trust it.