技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 26 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:canonxu/my-stock-longbridge-skill
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's code contains hardcoded Longbridge API credentials and JWTs despite the SKILL.md instructing secure secret configuration and declaring no required credentials, creating a clear mismatch and a sensitive-credentials risk.
目的
Name/description promise (Longbridge trading, quotes, account tracking) matches the code's trading calls, but the skill does not declare or request any credentials while multiple files contain hardcoded APP_KEY, APP_SECRET and ACCESS_TOKEN values. A legitimate Longbridge integration should declare required credentials (or use configured secrets), not embed them in source.
说明范围
SKILL.md tells the operator to configure credentials via 'openclaw secrets configure' and warns not to hardcode credentials, yet the bundled Python modules repeatedly hardcode API keys and an access token and call trade/submit/cancel operations and write/read an order history. The instructions do not mention the HISTORY_FILE path (/home/admin/.openclaw/skills/...), nor do they reconcile the hardcoded secrets, so runtime behavior will use embed…
安装机制
There is no install spec (lower install risk) and requirements.txt only lists 'longbridge' and 'tenacity', which are appropriate for the stated functionality. However, the presence of executable code files (not just prose) means code will run on the agent host even without an install spec.
证书
requires.env is empty and primary credential is none, yet the code embeds sensitive credentials (API key/secret and a long JWT). This is disproportionate and inconsistent: the skill should declare the Longbridge credentials as required environment variables or use the platform secret vault instead of hardcoding. Also the skill writes to a user-path under /home/admin, showing filesystem access beyond ephemeral runtime.
持久
always is false and the skill does not claim to modify other skills or system-wide settings. It does persist order history to a path under the user's home (~/.openclaw/skills/...), which is reasonable for local state but combined with hardcoded trading credentials increases potential impact if the embedded token is valid.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「My Stock Longbridge Skill」。简介:Integrates Longbridge OpenAPI for automated stock trading, market quotes, accou…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/canonxu/my-stock-longbridge-skill/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# my_longbridge_mgnt_skill
## Purpose
Longbridge OpenAPI integration for automated stock management.
## Setup
1. Configure credentials via `openclaw secrets configure`.
2. Ensure `longbridge` is installed (`pip install -r requirements.txt`).
## Functions
- `trade`: Execute, Modify, Cancel orders.
- `market`: Real-time quotes.
- `account`: Asset & Position tracking.
- `push`: Real-time streaming handler.
---
_Warning: Do not hardcode credentials._