Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Longbridge
v1.0.0Longbridge platform expert for investment analysis AND developer tasks. TRIGGER on ANY of: (1) any stock/market analysis request in any language — price perf...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, CLI examples, Python/Rust SDK references, and MCP docs all consistently describe a Longbridge financial-data + developer integration. The declared lack of required env vars/binaries is coherent because this is an instruction-only skill that expects the platform or user to have the Longbridge CLI/SDKs available.
Instruction Scope
Runtime instructions tell the agent to call local 'longbridge' CLI, SDK methods, and the MCP server and instruct the agent to “always pull when user asks about 'my portfolio'.” That implies automatically accessing account positions and order endpoints (sensitive user account data) when invoked. The skill does not explicitly require user confirmation for data pulls in every case (though some docs recommend confirmation for order placement). This is expected behavior for a trading assistant, but it is scope-sensitive: users should expect the agent to read account positions and live market data when those triggers fire.
Install Mechanism
The skill has no install spec (lowest risk). The included docs recommend installing the CLI via Homebrew or via a curl | sh installer pointing at a GitHub raw URL. Curl|sh installs are common but inherently riskier than vetted package installs; the skill itself doesn't perform downloads, it only documents them.
Credentials
The skill declares no required env vars, but the reference files contain many environment variable names (SDK overrides, LONGBRIDGE_HTTP_URL, token cache paths, and examples referencing API key envs). Most references are proportional to a data/trading SDK, but there is a small inconsistency: some examples show OAuth/browser flows while a few examples call Config.from_apikey_env or Config.from_apikey_env-like functions (API-key-based config), which mixes auth models and could confuse implementers. No unrelated secrets (e.g., AWS keys) are requested.
Persistence & Privilege
always:false and no install spec. The skill is instruction-only and doesn't request permanent agent inclusion or modify other skills. It references client-side token caches (e.g., ~/.longbridge/openapi/tokens) which are typical for OAuth-based SDKs but does not itself persist data.
Assessment
This skill appears to be a coherent Longbridge data/trading assistant, but review these points before installing or enabling it: 1) Expect the agent to call your Longbridge tools and, when triggered, to fetch account positions and live data — ensure you want the agent to access that info and confirm the agent asks before placing orders. 2) The skill is instruction-only; it assumes the Longbridge CLI/SDK and OAuth tokens live on the host. If you install the CLI follow your normal security policies (prefer package manager installs or verify the install script source rather than piping unknown scripts directly). 3) Check OAuth scopes when connecting MCP or the CLI (least-privilege) and verify token storage on your client. 4) Note small doc inconsistencies (OAuth vs. API-key examples) — if you rely on API keys vs OAuth, validate the auth method in your environment. If you want stronger guarantees, require the agent to ask for explicit permission before any account/positions queries or order operations.Like a lobster shell, security has layers — review code before you run it.
latestvk9724xtnvvdetcxjb6mjsecgqs83p80f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.