ClawHub

XTrade Futu Paper Trade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Futu paper-trading skill that can query market/account data and place or cancel simulated orders, with no evidence of hidden exfiltration or real-money trading behavior.

Install only if you intend to let an agent interact with a Futu paper-trading account. Keep FutuOpenD in simulation mode, provide trade passwords only through trusted local environment settings, and require explicit user approval before buy, sell, or cancel commands. Be aware that first run installs unpinned Python packages and some financial-data commands may use AkShare-backed external sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not pip_path.exists():
        raise RuntimeError("虚拟环境创建失败")
    requirements = base_dir / "requirements.txt"
    subprocess.check_call([str(pip_path), "install", "-r", str(requirements)])
    env = os.environ.copy()
    env["FUTU_SKILL_VENV"] = "1"
    subprocess.check_call([str(python_path), str(Path(__file__).resolve()), *sys.argv[1:]], env=env)
Confidence
95% confidence
Finding
subprocess.check_call([str(pip_path), "install", "-r", str(requirements)])

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no explicit permissions even though it clearly relies on environment variables and shell execution (`python3`, virtualenv creation, dependency installation). This creates a transparency and policy-enforcement gap: a host may grant or deny execution based on declared permissions, while the skill still expects to access sensitive env values such as trading credentials and invoke local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description says the skill is for paper-trade quote/position queries and order placement, but the documented behavior expands into funds, orders, fills, PnL, health checks, historical data, and external financial-data retrieval via AkShare. This mismatch weakens user consent and review because operators may approve the skill for a narrower purpose than what it actually does, including additional network/data access paths.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims to use the Futu paper trading API, but the documentation states it may fall back to AkShare and other external finance sources when Futu APIs are unavailable. Undisclosed fallback providers materially change the trust boundary and data exposure model, because requests may leave the expected local/Futu path and reach third-party services.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims to use the Futu paper trading API, but the documentation states it may fall back to AkShare and other external finance sources when Futu APIs are unavailable. Undisclosed fallback providers materially change the trust boundary and data exposure model, because requests may leave the expected local/Futu path and reach third-party services.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The implemented capabilities exceed the declared purpose: beyond quotes, positions, and paper-trade orders, the skill can cancel orders, query funds, list fills, unlock trading, and access broader financial data. Capability mismatch reduces informed consent and can mislead users or agent orchestrators about the skill's true authority, which is especially sensitive in a trading context.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill silently expands scope by introducing AkShare as a fallback data source unrelated to the stated Futu paper-trading purpose. This creates an unexpected external dependency and additional data-flow/supply-chain surface that users may not have consented to.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises account queries, position management, and order placement, but it does not clearly warn users that the skill can access trading/account data and trigger simulated orders. Even though it is limited to paper trading, this can still expose sensitive portfolio information and cause unintended automated actions if a user or agent invokes commands without understanding the scope.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically creates or deletes a virtual environment, installs packages, and re-executes itself without any explicit warning or approval. In a skill ecosystem, undisclosed environment mutation and dependency installation are dangerous because they can change the host state and execute third-party code unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill pulls a trading password from environment variables and submits it to the unlock API, but the file does not clearly disclose that secret-handling behavior to the user. In a trading skill, undisclosed credential use is sensitive because it enables privileged account actions beyond passive data retrieval.

Unpinned Dependencies

Low
Category
Supply Chain
Content
futu-api>=1.0.0
akshare>=1.18.0
Confidence
89% confidence
Finding
futu-api>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
futu-api>=1.0.0
akshare>=1.18.0
Confidence
89% confidence
Finding
akshare>=1.18.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal