Futu Client
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked after trading is unlocked, the agent could submit real buy or sell orders that may cause financial loss.
The skill exposes an order-placement method that defaults to the real trading environment, and the visible code does not require an explicit confirmation step before submitting the order.
def place_order(..., trd_env: TrdEnv = TrdEnv.REAL) ... ctx.place_order(..., trd_env=trd_env)
Default all trading methods to SIMULATE, require explicit user confirmation with an order summary before any REAL order, and consider separating read-only account queries from trading actions.
Providing the trading password could enable the agent to operate the user's real brokerage account through FutuOpenD.
The skill accepts a trading password and uses it to unlock real trading by default, granting account-level authority over financial transactions.
def unlock_trade(self, password: str, trd_env: TrdEnv = TrdEnv.REAL) -> bool: ... ctx.unlock_trade(password=password, trd_env=trd_env)
Declare this credential requirement clearly, handle the password only through a secure prompt or credential mechanism, avoid logging or storing it, and require per-trade user approval.
Different or future package versions could change behavior, including behavior that affects trading operations.
The skill relies on external, unpinned Python packages and has no install spec; this is purpose-aligned but leaves dependency provenance and versioning less controlled.
Install dependencies: `pip install futu-api` ... `pip install futu-api pandas`
Pin dependency versions in an install spec or requirements file and install from trusted package sources.