Back to skill

Security audit

OpenD CLI for MooMoo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed trading helper, not malware, but it can place or cancel live brokerage orders and handle trading credentials with limited built-in safeguards.

Install only if you intentionally want an agent-accessible MooMoo/Futu trading tool. Keep SIMULATE as the default, avoid enabling REAL trading without a separate human approval process, prefer OpenClaw-managed secret refs, avoid keyring/config storage on shared or hosted machines, and do not set OPEND_SDK_PATH to untrusted directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises shell execution, environment-variable access, and file read/write behavior, but the metadata shown in SKILL.md does not declare corresponding permissions. In an agent setting, this creates a transparency and policy-enforcement gap: a reviewer or runtime may underestimate what the skill can do, even though the documented interface clearly supports executing local commands, loading secrets, and interacting with local files.

Missing User Warnings

High
Confidence
94% confidence
Finding
This CLI exposes direct order placement and cancellation commands and accepts a REAL trading environment flag, but it does not require any explicit confirmation, dry-run acknowledgement, or high-friction safety check before executing potentially irreversible financial actions. In an agentic workflow, this materially increases the risk of accidental or unauthorized trades from prompt mistakes, automation bugs, or misuse of the tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This method can place real trades, including after automatically unlocking trading credentials, without any in-function confirmation, policy gate, or explicit enforcement that live trading is disallowed by default. In an agentic automation context, that makes accidental or prompt-induced unauthorized market orders materially more dangerous than in ordinary application code.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Order cancellation is a destructive trading action that can materially alter account behavior, yet this method executes it directly once called and may auto-unlock live trading first. In an autonomous agent skill, the absence of a confirmation or higher-friction approval path increases the risk of accidental or manipulated cancellation of legitimate orders.

Credential Access

High
Category
Privilege Escalation
Content
- Legacy compatibility:
  - `env`: reads `MOOMOO_PASSWORD`
  - `config`: reads `MOOMOO_CONFIG_KEY` and decrypts `config.enc`
  - `keyring`: prompts once and stores password in the OS keyring
- Deliberate warning:
  - `env`, `config`, and `keyring` bypass the preferred OpenClaw secret-ref audit path. Use them only for local development or controlled offline workflows.
Confidence
84% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
- Legacy compatibility:
  - `env`: reads `MOOMOO_PASSWORD`
  - `config`: reads `MOOMOO_CONFIG_KEY` and decrypts `config.enc`
  - `keyring`: prompts once and stores password in the OS keyring
- Deliberate warning:
  - `env`, `config`, and `keyring` bypass the preferred OpenClaw secret-ref audit path. Use them only for local development or controlled offline workflows.
Confidence
84% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
- `config`: reads `MOOMOO_CONFIG_KEY` and decrypts `config.enc`
  - `keyring`: prompts once and stores password in the OS keyring
- Deliberate warning:
  - `env`, `config`, and `keyring` bypass the preferred OpenClaw secret-ref audit path. Use them only for local development or controlled offline workflows.

## Agentic Defaults
Confidence
80% confidence
Finding
keyring

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.