ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FW Trading

Fosun Wealth OpenAPI 技能集合,包含 SDK 环境初始化与证券交易两大模块。涵盖 SDK 安装配置、凭证管理、行情查询、资金/持仓查询、资金流水查询、下单/撤单及订单管理,支持港股(L2)、美股(L1)、A股港股通(L1)市场。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
byAndnrew Yang@2023Andrewyang
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description promise an SDK setup and trading toolset and the included Python scripts/docs implement that. However the registry metadata declared no required environment variables or primary credential, while both SKILL.md and the code require sensitive variables (FSOPENAPI_API_KEY, FSOPENAPI_CLIENT_PRIVATE_KEY, FSOPENAPI_SERVER_PUBLIC_KEY, optionally FSOPENAPI_BASE_URL). The omission in metadata is an incoherence that reduces transparency.
Instruction Scope
Runtime instructions stay within trading scope (query prices, funds, place/cancel orders) and explicitly require user confirmation before executing real orders. They also instruct reusing a specific workspace virtualenv and checking memory files for existing environments. The code auto-loads credentials from a workspace 'fosun.env' and injects them into process env if present — this automatic loading is relevant to the skill purpose but is a behavior users should be aware of because it reads local files containing secrets (SKILL.md even mentions /tmp though the code only checks workspace root).
Install Mechanism
There is no install spec (instruction-only skill with bundled scripts), so nothing is downloaded/executed on install. The SKILL.md suggests installing a local SDK (pip install -e from a workspace path) rather than fetching remote code. No external download URLs or shortened links were found.
!
Credentials
The skill legitimately requires sensitive credentials (API key, client private key, server public key) to call Fosun OpenAPI. But the registry metadata did not declare any required env vars or a primary credential. Additionally, _client.py will read fosun.env from the workspace and populate environment variables at runtime if they are not already set, which means secrets stored in workspace files will be automatically loaded into the process — this is functional for the purpose but should have been declared up-front.
Persistence & Privilege
The skill does not request 'always: true', does not alter other skills' configuration, and has no install-time persistence. It only reads a workspace file and sets process environment variables at runtime; it does not persist credentials to system-wide locations or modify other agent settings.
What to consider before installing
This skill appears to implement the trading functions it claims, but there are two things to check before installing/using: (1) Metadata vs reality — the registry listing does not declare required credentials, yet the code and SKILL.md require FSOPENAPI_API_KEY, FSOPENAPI_CLIENT_PRIVATE_KEY, and FSOPENAPI_SERVER_PUBLIC_KEY; ask the author to declare these in the skill metadata. (2) Credential handling — the code will automatically load a fosun.env file from the workspace and inject its values into environment variables. Verify that any fosun.env file is stored securely (not in shared/workspace backups) and inspect its contents before use. Additional recommendations: review the included genkey.sh and SKILL onboarding docs to ensure they don't transmit keys externally, verify the origin and integrity of the fsopenapi SDK before installing it (it is referenced as a local editable install in the repo), and always exercise the explicit confirmation path before allowing any automated order placement. If you do not trust the source or cannot confirm the SDK origin, avoid supplying live API keys or running the scripts with real accounts.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bqsv2a3ppt232h8rd07knfd83062z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

复星财富 OpenAPI 技能集

本目录包含与复星财富 OpenAPI 相关的所有技能,统一管理港股、美股、A 股(港股通)的 SDK 配置与交易操作。

子技能一览

1. fosun-sdk-setup — SDK 初始化与凭证管理

路径: fosun-sdk-setup/SKILL.md

用途: 安装、验证和配置 Fosun OpenAPI SDK(fsopenapi),通过 fosun.env 管理 API 凭证。

核心功能:

  • SDK 安装: 检测并安装 fsopenapi.venv-fosun 虚拟环境(支持本地源码或 GitHub 下载)
  • 开通引导: 首次使用时引导用户生成客户端密钥对、获取出口 IP、申请 API 权限
  • 凭证管理: 通过对话交互式收集并写入 fosun.env(含服务端公钥、客户端私钥、API Key)
  • 凭证更新: 支持切换账号、更换 API Key、鉴权失败时重新配置

适用场景: 首次设置 SDK、修复安装/导入/鉴权问题、轮换 API Key 或切换账号、其他 fosun-* 技能的前置依赖。

2. fosun-trading — 证券交易工具集

路径: fosun-trading/SKILL.md

用途: 通过命令行脚本完成行情查询、资金管理和交易操作。

核心功能:

功能脚本说明
行情查询query_price.py报价、盘口、K线、分时、逐笔成交、经纪商队列
买卖信息查询query_bidask.py每手股数(lotSize)、可买/可卖数量、购买力
资金/持仓查询query_funds.py资金汇总、持仓列表、账户列表
资金流水查询query_cashflows.py按日期/类型查询资金进出明细
下单place_order.py限价/增强限价/特别限价/竞价/市价单
订单查询list_orders.py按状态/日期/方向/市场筛选订单
撤单cancel_order.py撤销未成交订单

适用场景: 查询股票行情、查看账户余额与持仓、查询资金流水、买卖股票、管理订单。

支持的市场

市场代码说明行情级别币种
hk港股L2(含盘口、经纪商队列)HKD
us美股L1(盘前/盘中/盘后)USD
sh上交所(港股通)L1CNH
sz深交所(港股通)L1CNH

标的代码格式: 市场代码 + 股票代码,如 hk00700(腾讯)、usAAPL(苹果)、sh600519(茅台)、sz000001(平安银行)。

环境要求

  • Python 虚拟环境: {workspace_root}/.venv-fosun
  • 凭证文件: {workspace_root}/fosun.env
  • 禁止擅自创建新虚拟环境或使用系统 Python
  • 统一使用虚拟环境内的绝对路径解释器执行所有脚本

Files

21 total
Select a file
Select a file to preview.

Comments

Loading comments…