ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Longbridge

v1.0.0

Longbridge platform expert for investment analysis AND developer tasks. TRIGGER on ANY of: (1) any stock/market analysis request in any language — price perf...

0· 145·1 current·1 all-time
byJason Lee@huacnlee

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for huacnlee/longbridge-developers.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Longbridge" (huacnlee/longbridge-developers) from ClawHub.
Skill page: https://clawhub.ai/huacnlee/longbridge-developers
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install longbridge-developers

ClawHub CLI

Package manager switcher

npx clawhub@latest install longbridge-developers
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description and included reference docs (CLI, Python/Rust SDKs, MCP) match the stated purpose of being a Longbridge platform expert for investment analysis and developer tasks. The files provide expected SDK/CLI usage and trading examples.
!
Instruction Scope
The runtime instructions tell the agent to execute CLI/SDK commands that access account positions, news, and can place orders. The docs explicitly say to always pull positions when users ask about portfolios and include order placement examples. The references also disclose local token cache paths (~/.longbridge/...) and recommend connecting MCP which 'exposes tools to the AI' — this gives an agent access to sensitive account actions if OAuth is authorized. The SKILL.md does not explicitly constrain the agent from reading local token files or auto-executing orders, so the instruction scope is broader than a read-only analysis skill.
Install Mechanism
This is an instruction-only skill (no install spec), which is lower risk. However the bundled docs recommend installing the CLI with Homebrew (fine) or via a remote install script piped from GitHub raw (curl ... | sh). That install method (download-and-execute) carries higher risk in general and should be validated by the user before running.
!
Credentials
The skill declares no required env vars or credentials, which is reasonable because Longbridge uses OAuth, but multiple reference files reveal token cache paths and environment variables (LONGBRIDGE_*). The skill's functionality (view positions, place orders, subscribe to push events) legitimately requires account OAuth tokens — access to these is highly sensitive. The skill does not request explicit read-only scope limits, so enabling it could permit trading-capable actions if OAuth consent is granted.
Persistence & Privilege
always:false and no install spec are good. However the SKILL.md author recommends broad trigger conditions (TRIGGER on ANY ticker/portfolio mention) and MCP integration that 'automatically exposes tools to the AI'. Combined with default autonomous invocation, this creates a higher blast radius: an agent could be triggered frequently and may be able to call trade APIs if the user authorizes OAuth. This is not inherently malicious but increases risk and should be constrained by the user (scopes, confirmation rules).
What to consider before installing
This skill appears to be genuine Longbridge documentation packaged to help an AI use the Longbridge CLI/SDK/MCP, but it can access and act on highly sensitive account functionality if you connect an account. Before installing or enabling: (1) Only connect Longbridge OAuth with the minimum scopes (prefer read-only) and require explicit confirmations for any order placement; (2) review and control triggers — the skill requests activation on any ticker/portfolio mention which may cause unintended calls; (3) do not run curl | sh install scripts blindly — prefer Homebrew or inspect the script first; (4) be aware the docs mention token cache paths (~/.longbridge/...), so the agent could try to use or read local tokens if present; (5) if you do not want the agent to place trades, avoid granting trade scopes or self-host MCP with restricted tools. These precautions will reduce the risk of accidental data exposure or unintended trading actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97czw0aagf78k7r9gex0wfbq583ncyq
145downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Jason Lee@huacnlee
latest
Download

Longbridge Developers Platform

Full-stack financial data and trading platform: CLI, Python/Rust SDK, MCP, and LLM integration.

Official docs: https://open.longbridge.com llms.txt: https://open.longbridge.com/llms.txt

For setup and authentication details, see references/setup.md.

Investment Analysis Workflow

When the user asks about stock performance, portfolio advice, or market analysis:

  1. Get live data via CLI — quotes, positions, K-line history, intraday
  2. Get news/catalysts via CLI — prefer Longbridge first; fall back to WebSearch only if insufficient
  3. Combine — price action + volume + catalyst → analysis + suggestion
# Market data
longbridge quote SYMBOL.US
longbridge positions                # always pull when user asks about "my portfolio"
longbridge kline-history SYMBOL.US --start YYYY-MM-DD --end YYYY-MM-DD --period day
longbridge intraday SYMBOL.US

# News & content (prefer these over WebSearch)
longbridge news SYMBOL.US           # latest news articles
longbridge news-detail <id>         # full article content
longbridge filing-detail <id>       # regulatory filing (earnings reports, etc.)
longbridge topics SYMBOL.US         # community discussion
longbridge market-temp              # market sentiment index (0–100)

Only fall back to WebSearch when Longbridge news is insufficient (e.g., breaking news not yet indexed, macro events unrelated to a specific symbol).

Choose the Right Tool

User wants to...                         → Use
─────────────────────────────────────────────────────────────────
Quick quote / one-off data lookup        CLI
Interactive terminal workflows           CLI
Script market data, save to file         CLI + jq  (or Python SDK)
Loops, conditions, transformations       Python SDK (sync)
Async pipelines, concurrent fetches      Python SDK (async)
Production service, high throughput      Rust SDK
Real-time WebSocket subscription loop    SDK (Python or Rust)
Programmatic order strategy              SDK
Talk to AI about stocks (no code)        MCP (hosted or self-hosted)
Use Cursor/Claude for trading analysis   MCP
Add Longbridge API docs to IDE/RAG       LLMs.txt / Markdown API

Symbol Format

<CODE>.<MARKET> — applies to all tools.

MarketSuffixExamples
Hong KongHK700.HK, 9988.HK, 2318.HK
United StatesUSTSLA.US, AAPL.US, NVDA.US
China ShanghaiSH600519.SH, 000001.SH
China ShenzhenSZ000568.SZ, 300750.SZ
SingaporeSGD05.SG, U11.SG
CryptoHASBTCUSD.HAS, ETHUSD.HAS

Reference Files

CLI (Terminal)

Always use longbridge --help to list available commands, and longbridge <command> --help for specific options and flags. Do not rely on hardcoded documentation — the CLI's built-in help is always up-to-date.

Python SDK

Rust SDK

AI Integration

  • MCP — hosted service, self-hosted server, setup & auth: references/mcp.md
  • LLMs & Markdown — llms.txt, open.longbridge.com doc Markdown, longbridge.com live news/quote pages (.md suffix + Accept header), Cursor/IDE integration: references/llm.md

Load specific reference files on demand — do not load all at once.

Comments

Loading comments...