Sim Trade
Security checks across malware telemetry and agentic risk
Overview
The local simulator code is mostly straightforward, but the skill asks users to store full browser cookies or broker API tokens for external account access without clear scoping or a real implemented integration.
Using the local simulation and quote lookup appears reasonable. Treat the external-platform setup as high risk: do not paste full Cookies or broker tokens unless the provider clearly documents the exact access needed, where the credentials go, and how to revoke or delete them.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user pastes these credentials, the skill environment may gain access to financial or simulated-trading accounts beyond a simple local simulator.
The skill asks users to provide raw browser session cookies and broker API tokens. Those credentials can carry broad account authority, but the artifacts do not define exact scopes, permitted actions, or credential lifecycle controls.
获取 Cookie(开发者工具 → Network → 复制请求头中的 Cookie)... "cookie": "your_cookie_here" ... "token": "your_api_token"
Use local mode unless external integration is truly needed. Do not paste full browser cookies; prefer least-privilege, revocable API tokens and rotate or remove them after use.
A user may hand over sensitive account cookies or tokens expecting a working integration, even though the artifact does not show a bounded implementation.
The documentation claims multi-platform account connection support and requests login credentials, while the included sync implementations only print setup guidance and return False. This can lead users to trust and provide credentials for an unclear or incomplete feature.
SKILL.md: "多平台模拟盘 | 同花顺/东方财富/蚂蚁财富(需登录)"; sync.py: "def sync_eastmoney(cookie): ... return False"
The publisher should either remove the credential-based integration claims or document and implement the exact endpoints, data flows, scopes, and safety controls before asking users for credentials.
Running buy, sell, or init commands can change or reset the simulated portfolio and trade history, though the included trade code does not place real trades.
Buy and sell commands mutate local simulator account, position, and trade-log files. This is expected for the stated simulator purpose, but users should know the agent can change local trading records when invoked.
account.deduct(total_cost); positions.buy(code, name, exec_price, quantity); record_trade(code, name, 'buy', exec_price, quantity, fee, 0)
Confirm trade and reset commands before running them, especially if the simulated records matter to you.
Your simulated portfolio and trade history remain on disk until you delete them; if you follow the credential setup instructions, related config may also remain there.
The skill persistently stores account, position, and trade-history data under a fixed local directory. This is purpose-aligned, but it means financial simulation records remain available across sessions.
DATA_DIR = os.path.expanduser("~/.openclaw/sim_trade"); ACCOUNT_FILE = os.path.join(DATA_DIR, "account.json"); POSITIONS_FILE = os.path.join(DATA_DIR, "positions.json"); TRADES_FILE = os.path.join(DATA_DIR, "trades.txt")Review ~/.openclaw/sim_trade for stored data and remove any credentials or records you no longer want to keep.