XTrade Futu Paper Trade
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed Futu paper-trading skill, but users should notice that it installs Python dependencies, uses Futu credentials, and can place or cancel simulated trades.
This skill is coherent with its stated paper-trading purpose. Before installing, confirm that FutuOpenD is connected only to a paper/simulated trading environment, do not expose Futu credentials in shared terminals or logs, and require the agent to ask before any buy, sell, or cancel action. Also be aware that the skill creates a local virtual environment and installs unpinned Python dependencies.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change the state of your simulated trading account by placing or canceling paper orders.
The skill exposes commands that mutate a Futu paper-trading account by placing and canceling orders. This matches the stated purpose, but order-changing tools should be used with explicit user intent.
下单买入: python3 {baseDir}/xtrade_xtrade_futu_skill.py buy --symbol HK.00700 --qty 100 --price 320.5 ... 撤单: python3 {baseDir}/xtrade_xtrade_futu_skill.py cancel --order-id ...Use the skill only for paper trading and require explicit confirmation before buy, sell, or cancel commands.
You may need to provide sensitive Futu credentials or a trade unlock password to use trading features.
The skill documents Futu account and trade-unlock credentials, but the registry metadata declares no required environment variables or primary credential. The credential use is expected for this integration, with no artifact evidence of unrelated use or leakage.
FUTU_TRADE_PWD:交易解锁密码 ... FUTU_ACCOUNT:账号标识,可选 ... FUTU_PASSWORD:账号密码,可选
Provide credentials only through trusted local environment configuration, keep the account in paper-trading mode, and avoid sharing logs or terminal history that might contain secrets.
Running the skill may download and install Python packages on your machine.
The skill automatically installs dependencies from requirements.txt into a local virtual environment when run. This is disclosed and purpose-aligned, but it means runtime execution depends on external Python packages.
subprocess.check_call([str(pip_path), "install", "-r", str(requirements)])
Review the dependency list and consider pinning versions or installing in an isolated environment before use.
The behavior of the skill could change if dependency updates introduce breaking changes or vulnerabilities.
The dependencies are not pinned to exact versions, so future installs may resolve to newer package versions than the author tested.
futu-api>=1.0.0 akshare>=1.18.0
For safer repeatable use, pin known-good dependency versions and review package provenance.