Fubon Cli
v0.1.1AI-agent skill for Taiwan stock/futures/options operations via fubon-cli. Use this skill whenever the user asks about Fubon Neo login, order placement, accou...
⭐ 0· 267·0 current·0 all-time
by@mofesto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the SKILL.md: the document repeatedly instructs how to run fubon-cli to login, place orders, query accounts, and subscribe to realtime data. Requiring certificates, account IDs/passwords, and API keys is coherent with the trading automation purpose.
Instruction Scope
The instructions tell the agent to run fubon CLI commands that require credentials and certificate files and provide examples that pass passwords, cert passwords, and API keys on the command line. Passing secrets as CLI arguments can leak to process lists, shell history, or logs. The SKILL.md's guidance to "Do not expose raw credentials in logs or chat output" is present but not prescriptive (no secure auth patterns such as using prompting, stdin, restricted files, or environment variables are mandated). The doc also contains CI/publish scripting references (e.g., scripts/publish_skill.py requiring CLAWHUB_API_TOKEN) that are about publishing the skill and not about runtime behavior — this mixes operational/publishing concerns into the runtime instructions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not itself install binaries. That is the lowest install risk. The SKILL.md suggests installing packages (pip install fubon-cli or a local wheel) but those are user actions and are noted clearly as preconditions.
Credentials
The skill will require sensitive credentials (account ID/password, cert files and cert passwords, API keys), but the registry metadata declares no required env vars or primary credential. The SKILL.md examples demonstrate passing secrets on the command line and includes a command that can store an OpenAI key in the fubon-cli config. There is a mismatch between the skill's sensitive needs and the manifest's lack of declared credential requirements and explicit secure handling.
Persistence & Privilege
The skill does not request always: true and does not claim to modify other skills or global agent settings. It simply instructs use of the fubon CLI and mentions keeping the skill version aligned with the fubon-cli package; this is operational, not a privilege escalation.
What to consider before installing
Before installing or enabling this skill: (1) understand it will run the fubon-cli on your machine and requires your trading account credentials, certificate files, and cert passwords — do not supply these unless you fully trust both the fubon-cli binary and this skill's runtime environment. (2) Avoid passing secrets on the command line (they can appear in process lists and shell history); prefer secure methods (secured files with restricted permissions, prompting, or environment variables handled by the user) and audit how fubon-cli stores any keys (e.g., fubon config). (3) Verify the origin and integrity of the fubon-cli package and any wheels before pip installing; prefer official releases from a known repository. (4) The SKILL.md references CI/publish scripts that require a CLAWHUB_API_TOKEN — that is about publishing the skill and not needed at runtime; do not expose such platform tokens to the skill runtime. (5) Consider enabling this skill only when needed and review logs/output to ensure no secrets are emitted. Additional information that would reduce my concern: explicit secure-auth guidance in SKILL.md (e.g., how to provide credentials without CLI args), declared required env vars or credential interfaces in the manifest, or a trusted install/source URL for fubon-cli.Like a lobster shell, security has layers — review code before you run it.
latestvk9752932a9xwk1b8qeft3711y9826qrn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.