ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FW Trading

Fosun Wealth OpenAPI 技能集合,包含 SDK 环境初始化与证券交易两大模块。涵盖 SDK 安装配置、凭证管理、行情查询、资金/持仓查询、资金流水查询、下单/撤单及订单管理,支持港股(L2)、美股(L1)、A股港股通(L1)市场。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 15 · 0 current installs · 0 all-time installs
byAndnrew Yang@2023Andrewyang
duplicate of @2023Andrewyang/fw-trading
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, docs, and the Python scripts consistently implement a Fosun OpenAPI trading SDK: market queries, funds/holdings, cash flows, place/cancel orders. The requested capabilities (API key, client private key, server public key) are coherent with a trading SDK. However the registry metadata claims 'Required env vars: none' and 'instruction-only' while the package contains code that expects FSOPENAPI_* environment variables and a local SDK — this mismatch is unexpected.
Instruction Scope
Runtime instructions and scripts will: (1) auto-load credentials from a workspace-level fosun.env into FSOPENAPI_* env vars, (2) require running the provided CLI Python scripts from a specific workspace virtualenv path, and (3) instruct the agent to never create a new virtualenv and to prefer reusing an existing .venv-fosun (and to check memory files for environment paths). These behaviors are within the trading use-case but give the skill broad read/write scope over workspace files (fosun.env) and strong control over which interpreter is used.
Install Mechanism
There is no declared install spec (no automatic downloads), but code references installing a local SDK with a pip -e path inside the workspace. The package includes code and a genkey.sh; nothing downloads from external/unknown URLs. The absence of an install step reduces remote-code-download risk, but the scripts expect the SDK to be available (or for the user to run a local pip install command).
!
Credentials
The skill requires sensitive credentials to function: FSOPENAPI_API_KEY, FSOPENAPI_CLIENT_PRIVATE_KEY, and FSOPENAPI_SERVER_PUBLIC_KEY (and optionally FSOPENAPI_BASE_URL). Those are appropriate for a trading SDK, but the registry metadata failed to declare them. The skill will automatically load fosun.env from the workspace root and populate environment variables if present — this automatic loading of workspace credential files is a meaningful risk and should be explicit to the user.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does not modify other skills or global settings. It does, however, insist on reusing a specific workspace virtualenv and will load fosun.env from the workspace — a normal level of presence for a client SDK, but worth noting.
What to consider before installing
This skill implements a Fosun trading SDK and will need your Fosun API key and PEM private/public keys to operate; however the registry metadata does not declare any required env vars, which is inconsistent. Before installing or running: 1) Confirm you trust the skill author and the source (no homepage/source repo provided). 2) Manually inspect fosun.env (if present) and do not store secrets in plain files unless you accept that risk. 3) Expect to provide FSOPENAPI_API_KEY, FSOPENAPI_CLIENT_PRIVATE_KEY, and FSOPENAPI_SERVER_PUBLIC_KEY (or keep them in fosun.env). 4) The skill insists on using an existing .venv-fosun path and prints absolute paths referencing a specific user; run the scripts in an isolated environment (or verify the referenced .venv is safe) to avoid accidental use of a privileged/system Python. 5) The place_order logic includes a required human confirmation step in the docs — ensure any automated agent honoring this skill enforces that confirmation before executing live orders. If you need higher assurance, request the upstream repository/source and validate the SDK distribution and endpoints before providing credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk972haypny6pwa9qh87tgp7tex8309bv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

复星财富 OpenAPI 技能集

本目录包含与复星财富 OpenAPI 相关的所有技能,统一管理港股、美股、A 股(港股通)的 SDK 配置与交易操作。

子技能一览

1. fosun-sdk-setup — SDK 初始化与凭证管理

路径: fosun-sdk-setup/SKILL.md

用途: 安装、验证和配置 Fosun OpenAPI SDK(fsopenapi),通过 fosun.env 管理 API 凭证。

核心功能:

  • SDK 安装: 检测并安装 fsopenapi.venv-fosun 虚拟环境(支持本地源码或 GitHub 下载)
  • 开通引导: 首次使用时引导用户生成客户端密钥对、获取出口 IP、申请 API 权限
  • 凭证管理: 通过对话交互式收集并写入 fosun.env(含服务端公钥、客户端私钥、API Key)
  • 凭证更新: 支持切换账号、更换 API Key、鉴权失败时重新配置

适用场景: 首次设置 SDK、修复安装/导入/鉴权问题、轮换 API Key 或切换账号、其他 fosun-* 技能的前置依赖。

2. fosun-trading — 证券交易工具集

路径: fosun-trading/SKILL.md

用途: 通过命令行脚本完成行情查询、资金管理和交易操作。

核心功能:

功能脚本说明
行情查询query_price.py报价、盘口、K线、分时、逐笔成交、经纪商队列
买卖信息查询query_bidask.py每手股数(lotSize)、可买/可卖数量、购买力
资金/持仓查询query_funds.py资金汇总、持仓列表、账户列表
资金流水查询query_cashflows.py按日期/类型查询资金进出明细
下单place_order.py限价/增强限价/特别限价/竞价/市价单
订单查询list_orders.py按状态/日期/方向/市场筛选订单
撤单cancel_order.py撤销未成交订单

适用场景: 查询股票行情、查看账户余额与持仓、查询资金流水、买卖股票、管理订单。

支持的市场

市场代码说明行情级别币种
hk港股L2(含盘口、经纪商队列)HKD
us美股L1(盘前/盘中/盘后)USD
sh上交所(港股通)L1CNH
sz深交所(港股通)L1CNH

标的代码格式: 市场代码 + 股票代码,如 hk00700(腾讯)、usAAPL(苹果)、sh600519(茅台)、sz000001(平安银行)。

环境要求

  • Python 虚拟环境: {workspace_root}/.venv-fosun
  • 凭证文件: {workspace_root}/fosun.env
  • 禁止擅自创建新虚拟环境或使用系统 Python
  • 统一使用虚拟环境内的绝对路径解释器执行所有脚本

Files

21 total
Select a file
Select a file to preview.

Comments

Loading comments…