Skillv1.0.1

ClawScan security

OpenD CLI for MooMoo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 1:06 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested secrets match its stated purpose (local OpenD market-data and trading automation), with no evidence of hidden exfiltration or unrelated credential requests — but you should still inspect and control SDK and secret handling before using live accounts.
Guidance: This skill appears to do what it says: a local OpenD/Futu (MooMoo) CLI wrapper that supports secret-ref credential loading and simulated or live orders. Before installing or using with real money, do the following: - Inspect and run the code in a safe environment (SIMULATE remains the default) and exercise the simulated trading paths first. - Prefer OPEND_PASSWORD_SECRET_REF / gateway secret injection for hosted deployments; avoid setting MOOMOO_PASSWORD as a plain environment variable in hosted/shared environments. - Verify the registry metadata and packaging: the bundle and SKILL.md document secret env vars, but the registry metadata claimed none — ensure the published registry entry accurately lists the required secrets. - Carefully control OPEND_SDK_PATH: the code will insert that path into sys.path and import moomoo/futu from it. Only point OPEND_SDK_PATH at trusted SDK code; an attacker-controlled SDK path could execute arbitrary code on import. - setup_config.py writes config.key and config.enc locally (key file is written with mode 600). Treat these files as sensitive and move keys into a secret manager if used. - If you intend to run live trading (trd_env=REAL), require explicit user confirmation and validate unlock behavior; consider additional manual review or approval steps in any agent workflow that could invoke live orders. If you are unsure, run the provided smoke test (python3 scripts/release_smoke_test.py) and run the CLI with --help to confirm behavior, and keep live trading disabled until you have audited the environment and credential provisioning.

Review Dimensions

Purpose & Capability: okThe name/description (OpenD CLI for MooMoo) aligns with the included Python CLI, core client, and credential helpers. The code interacts only with a local OpenD host via the moomoo/futu SDK and implements account discovery, snapshots, positions, and order placement as advertised. One mismatch: the registry metadata listed "Required env vars: none," while SKILL.md and the code document secret inputs (OPEND_PASSWORD_SECRET_REF, MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY); this appears to be a packaging/metadata oversight but does not change the functional purpose.
Instruction Scope: okSKILL.md stays within the stated domain: it documents using the local OpenD host, credential methods, and safety defaults (SIMULATE). The instructions reference local files (config.enc, config.key) and env refs for credentials — which is expected for a trading wrapper. The guidance explicitly warns to use secret-ref injection for hosted use and to treat legacy paths as local-only. There are no instructions to read or transmit unrelated system data or to contact external endpoints beyond the SDK/OpenD local host.
Install Mechanism: okNo install spec is provided (instruction-only install), and all included code is plain Python. There are no remote download URLs or archive extraction steps in the bundle. The skill does recommend installing SDKs (moomoo or futu) and optional libraries (keyring, cryptography), which is proportionate to the functionality.
Credentials: noteThe secrets and env vars documented in SKILL.md and used in code are proportional to a trading skill: OPEND_PASSWORD_SECRET_REF (preferred), MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY, and runtime overrides (OPEND_HOST, OPEND_PORT, OPEND_SDK_PATH, etc.). The only concern is the registry metadata claiming no required env vars while the package clearly documents secret inputs — verify the registry entry before hosted deployment. No unrelated third-party credentials are requested.
Persistence & Privilege: okThe skill does not request always:true or other elevated persistent privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk indicators here.