ClawHub

KIS Trading (한국투자증권)

v1.0.0

한국투자증권(KIS) Open API를 이용한 국내 주식 트레이딩. 잔고 조회, 시세 확인, 매수/매도 주문, 매매 내역, 시장 개황 등. | Korean stock trading via KIS (Korea Investment & Securities) Open API. Balance, quotes, buy/sell orders, trade history, market overview.

0· 742·1 current·1 all-time
by@tgparkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with shipped Python scripts: balance, holdings, quote, market, history, order and setup. Requested binary (python3) and dependency (requests) are appropriate for the stated purpose. The implementation uses a local config (~/ .kis-trading/config.ini) rather than environment variables, which is coherent for a CLI-style trading tool.
!
Instruction Scope
SKILL.md and scripts limit network activity to KIS endpoints and explain required commands. However, the safety instruction to 'always confirm with the user before placing orders' is only a human-guidance comment — nothing in the code enforces an interactive confirmation when run programmatically. An automated agent with permission to run the skill could call scripts (e.g., scripts/order.py) and place real trades. Scripts also read/write files under the user's home directory (~/.kis-trading), which contain sensitive credentials and cached tokens.
Install Mechanism
There is no install spec (instruction-only skill with included scripts). SKILL.md lists pip ['requests'] as a dependency; the code uses only requests for HTTP. No external downloads, package installs from unknown URLs, or archive extraction are present. Risk from install mechanism is low.
Credentials
The skill uses a config file for APP_KEY / APP_SECRET / ACCOUNT_NO and caches an access token to ~/.kis-trading/token.json. This is proportionate to trading functionality. Two small inconsistencies: SKILL.md metadata lists config_keys named KIS_APP_KEY / KIS_APP_SECRET / KIS_ACCOUNT_NO / KIS_BASE_URL while the code expects APP_KEY / APP_SECRET / ACCOUNT_NO and reads BASE_URL from the config; registry metadata also lists no required env vars. Storing secrets in a plaintext config file and caching tokens to disk are expected here but are sensitive and worth being explicit about.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does persist an OAuth token to ~/.kis-trading/token.json (attempting to set file mode 600). That persistence is reasonable for usability, but when combined with the skill's ability to place live orders and the platform's normal autonomous-invocation capability, it increases blast radius if the skill or agent is compromised.
What to consider before installing
This skill appears to implement the KIS trading API as advertised, but review and test before using with real money. - Verify the config file format and names: the code expects [KIS] APP_KEY, APP_SECRET, ACCOUNT_NO and BASE_URL in ~/.kis-trading/config.ini. SKILL.md metadata keys (KIS_...) do not match the code and should be corrected. - Use the demo BASE_URL (openapivts...) and a mock/demo account first to confirm behavior. - Be aware credentials (APP_SECRET) are stored in a local config file and an access token is cached under ~/.kis-trading/token.json. Ensure those files have appropriate filesystem permissions and only put minimal-scoped credentials in them. - The SKILL.md asks the agent to confirm orders, but the code does not enforce interactive confirmation in non-interactive invocations. If you allow the agent to invoke skills autonomously, it could place orders programmatically. Restrict autonomous invocation or require explicit human confirmation in your agent policy before executing order commands. - If you cannot audit or host the skill yourself, consider using a trusted, reviewed integration from your broker or run these scripts locally under your direct control. If you install, first exercise only read-only endpoints (balance/quote/history) and validate all behaviors in demo mode.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fj64at79j4vt1bqg61n6yqn810sf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binspython3

Comments