ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VBrokers Trading

v1.0.0

VBrokers (华盛通 VCL HK) trading automation via OpenAPI Gateway running on localhost port 11111. Use when: setting up VBrokers or 华盛通 account access, authentica...

0· 242·0 current·0 all-time
by@lcy360
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included Python client and API reference. The code exclusively targets the local OpenAPI Gateway (http://127.0.0.1:11111) and implements trading, quotes, K-lines, and helper logic described in the SKILL.md. No unrelated cloud services, binaries, or secrets are requested.
Instruction Scope
SKILL.md stays on-topic: it tells you to run the local Gateway app, install pycryptodome, copy/import the provided vbrokers_client.py, and call functions like trade_login, get_account_funds, place_order, etc. The instructions do not direct the agent to read arbitrary files, other env vars, or to transmit data to endpoints other than the specified localhost gateway.
Install Mechanism
There is no install spec (instruction-only with bundled client code). The only runtime dependency mentioned is pycryptodome (pip), which is appropriate for AES operations. No remote downloads or archive extracts are performed by the skill itself.
Credentials
The skill does not request environment variables or external credentials. It asks callers to pass their trading password to trade_login at runtime. The client contains a hardcoded base64 AES key (AES_KEY_B64) used to encrypt the password before sending it to the local gateway — this is plausible if the provider supplies a fixed key, but it is a transparency detail you should verify (see guidance).
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent agent presence or modify other skills' configurations. The client only communicates with the local Gateway and does not persist credentials itself.
Assessment
This skill appears to implement exactly what it claims: a local OpenAPI Gateway client for VBrokers trading. Before installing or running it, do the following: (1) Verify the local Gateway (华盛通OpenAPIGateway.app) you will connect to is the official application and actually running on 127.0.0.1:11111. (2) Inspect the bundled scripts (vbrokers_client.py) yourself — it contains a hardcoded AES key used to encrypt your trading password; confirm this matches vendor documentation or replace it with a secure/configurable key if appropriate. (3) Never hand your real account credentials to untrusted code — test with a demo/small order first. (4) Ensure pycryptodome is installed from a trusted source. The skill does not exfiltrate data to remote hosts, but because it can place/cancel real orders, treat it as high-impact: validate behavior in a safe environment before granting it access to live money.

Like a lobster shell, security has layers — review code before you run it.

latestvk973axn4mr86f5c3djsmr1y85s82cjpw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments