Claw Future
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent futures-trading assistant, but it can place real orders through a background daemon and has several review-worthy gaps around automated trading controls, credential handling, local command access, and native build provenance.
Review carefully before installing. Use a SimNow or other simulation account first, do not connect a live trading account until you trust the code and daemon controls, protect config.json, check and remove active schedules/condition orders, and verify the native CTP bridge build path before running start.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad tool invocation could place, schedule, or cancel futures orders in a real account.
The executable layer directly forwards high-impact trading, mass-cancel, and scheduled-order requests to the daemon. The artifacts document agent-side confirmation, but the code shown does not enforce a separate approval, risk limit, volume cap, dry-run mode, or account-mode guard before sending these financial actions.
def cmd_order(args) -> None: ... _out(_send(cmd)) ... def cmd_cancel_all(args) -> None: ... _out(_send({"cmd": "cancel_all"})) ... def cmd_schedule_order(args) -> None: ... _out(_send({"cmd": "add_schedule", "schedule": sched}))Require enforced confirmation in the CLI or daemon for all order/cancel/schedule/condition-order actions, add user-configurable limits, and default to simulation or dry-run until explicitly enabled.
A scheduled futures order may fire more often than the user intended, potentially causing repeated unintended trades.
The scheduler checks only the time and whether it already fired today. It does not enforce the SKILL.md-described weekday/daily/once options, so a schedule intended to run once or only on weekdays can repeat on later days.
class ScheduleEngine: """定时任务,每天在指定时间触发一次。""" ... def check(self, now): ... if sched.get("time") != cur_time: continue ... if sched.get("triggered_date") == cur_date: continue ... sched["triggered_date"] = cur_datePersist and enforce schedule scope such as once/daily/weekday, expire one-time schedules after firing, and show the next fire time before accepting any scheduled trade.
First run may compile and load native code linked against unintended or unreviewed local binaries.
From scripts/bridge, ../../.. resolves above the skill root, not to the skill's own root/api directory. Because the bridge is auto-built and linked to CTP SDK binaries, this can fail or use SDK files outside the reviewed package path.
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
LINUX_SDK="$REPO_ROOT/api/linux"Fix the SDK path to stay inside the skill directory, verify or pin native SDK binaries, and require explicit user acknowledgement before compiling/loading native components.
Another local process that can reach or discover the daemon port may be able to imitate the CLI and send trading commands.
The local CLI protocol shown sends plain JSON commands to a localhost daemon port with no visible authentication token or per-command approval marker. For a daemon that can place trades, local command identity and authorization boundaries matter.
s = socket.create_connection(("127.0.0.1", port), timeout=_TIMEOUT)
s.sendall((json.dumps(cmd, ensure_ascii=False) + "\n").encode())Add a per-install secret token, bind permissions to the current user, validate command authorization in the daemon, and reject trade-mutating commands without an approval nonce.
Installing and using the skill means trusting it with credentials that can access and trade in the configured CTP account.
The skill requires CTP account identifiers, trading/market-data passwords, AppID, and auth code. This is expected for a futures-trading integration, but the registry metadata declares no primary credential or required environment variables.
"user_id": "你的账户号", "md_password": "行情密码", "td_password": "交易密码", "app_id": "your_app_id", "auth_code": "your_auth_code"
Use a simulation account first, restrict account permissions where possible, protect config.json, and ensure the registry metadata clearly declares the credential requirements.
The assistant can continue monitoring and trading after setup, even if the user is no longer actively watching the conversation.
The background daemon and condition-order design are disclosed and purpose-aligned, but they keep acting after the chat turn ends and can automatically send orders when market conditions are met.
设置后即使用户不在线,daemon 后台自动执行。
Review active alerts and schedules regularly, stop the daemon when not needed, and remove any condition or scheduled orders that should no longer be active.