← Back to Skills Marketplace

OpenD CLI for MooMoo

Name: OpenD CLI for MooMoo
Author: oscraters

by oscraters · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

516

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install opend

Description

Agentic trading and market-data workflows for Futu OpenD (MooMoo/Futu OpenAPI), including OpenClaw-compatible secret-ref credential loading, account discover...

Usage Guidance

This skill appears to do what it says: a local OpenD/Futu (MooMoo) CLI wrapper that supports secret-ref credential loading and simulated or live orders. Before installing or using with real money, do the following: - Inspect and run the code in a safe environment (SIMULATE remains the default) and exercise the simulated trading paths first. - Prefer OPEND_PASSWORD_SECRET_REF / gateway secret injection for hosted deployments; avoid setting MOOMOO_PASSWORD as a plain environment variable in hosted/shared environments. - Verify the registry metadata and packaging: the bundle and SKILL.md document secret env vars, but the registry metadata claimed none — ensure the published registry entry accurately lists the required secrets. - Carefully control OPEND_SDK_PATH: the code will insert that path into sys.path and import moomoo/futu from it. Only point OPEND_SDK_PATH at trusted SDK code; an attacker-controlled SDK path could execute arbitrary code on import. - setup_config.py writes config.key and config.enc locally (key file is written with mode 600). Treat these files as sensitive and move keys into a secret manager if used. - If you intend to run live trading (trd_env=REAL), require explicit user confirmation and validate unlock behavior; consider additional manual review or approval steps in any agent workflow that could invoke live orders. If you are unsure, run the provided smoke test (python3 scripts/release_smoke_test.py) and run the CLI with --help to confirm behavior, and keep live trading disabled until you have audited the environment and credential provisioning.

Capability Analysis

Type: OpenClaw Skill Name: opend Version: 1.0.1 The skill contains a critical Remote Code Execution (RCE) vulnerability in `opend_core.py`. The `load_sdk()` function allows the `OPEND_SDK_PATH` environment variable to inject arbitrary paths into `sys.path`, enabling the loading and execution of untrusted Python modules if an attacker can control this variable. While `SKILL.md` and `README.md` warn users to only point this at trusted code, the underlying mechanism presents a significant security risk. Additionally, the skill supports legacy credential methods (`env`, `config`, `keyring`) that bypass OpenClaw's preferred secret management, though these are clearly documented as less secure compatibility paths. There is no evidence of intentional malicious behavior, but the RCE vulnerability makes it suspicious.

Capability Assessment

✓ Purpose & Capability

The name/description (OpenD CLI for MooMoo) aligns with the included Python CLI, core client, and credential helpers. The code interacts only with a local OpenD host via the moomoo/futu SDK and implements account discovery, snapshots, positions, and order placement as advertised. One mismatch: the registry metadata listed "Required env vars: none," while SKILL.md and the code document secret inputs (OPEND_PASSWORD_SECRET_REF, MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY); this appears to be a packaging/metadata oversight but does not change the functional purpose.

✓ Instruction Scope

SKILL.md stays within the stated domain: it documents using the local OpenD host, credential methods, and safety defaults (SIMULATE). The instructions reference local files (config.enc, config.key) and env refs for credentials — which is expected for a trading wrapper. The guidance explicitly warns to use secret-ref injection for hosted use and to treat legacy paths as local-only. There are no instructions to read or transmit unrelated system data or to contact external endpoints beyond the SDK/OpenD local host.

✓ Install Mechanism

No install spec is provided (instruction-only install), and all included code is plain Python. There are no remote download URLs or archive extraction steps in the bundle. The skill does recommend installing SDKs (moomoo or futu) and optional libraries (keyring, cryptography), which is proportionate to the functionality.

ℹ Credentials

The secrets and env vars documented in SKILL.md and used in code are proportional to a trading skill: OPEND_PASSWORD_SECRET_REF (preferred), MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY, and runtime overrides (OPEND_HOST, OPEND_PORT, OPEND_SDK_PATH, etc.). The only concern is the registry metadata claiming no required env vars while the package clearly documents secret inputs — verify the registry entry before hosted deployment. No unrelated third-party credentials are requested.

✓ Persistence & Privilege

The skill does not request always:true or other elevated persistent privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk indicators here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install opend
After installation, invoke the skill by name or use /opend
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Skill opend 1.0.1 – Adds OpenClaw secret-ref support and strengthens credential handling. - Added support for OpenClaw-compatible secret-ref credential loading. - Expanded documentation with clear instructions for secret management and source auditing. - setup_config.py no longer prints reusable keys on creation, improving local secret safety. - Introduced release checklist and registry metadata reference files. - Improved warnings and guidance around credential methods for both hosted and local use. - Other minor updates and clarifications in code and documentation.

v1.0.0

Initial release of the opend skill: agentic trading workflows for Futu OpenD (MooMoo/Futu OpenAPI). - Provides a unified Bash CLI (openclaw) for snapshot, account, position, and order operations. - Supports secure credential handling via environment variables, config, or keyring. - Defaults to simulated trading unless live is explicitly selected. - Designed for structured JSON output for downstream automation. - Backwards compatible: legacy scripts now delegate to the single structured interface.

Metadata

Slug opend

Version 1.0.1

License —

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is OpenD CLI for MooMoo?

Agentic trading and market-data workflows for Futu OpenD (MooMoo/Futu OpenAPI), including OpenClaw-compatible secret-ref credential loading, account discover... It is an AI Agent Skill for Claude Code / OpenClaw, with 516 downloads so far.

How do I install OpenD CLI for MooMoo?

Run "/install opend" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenD CLI for MooMoo free?

Yes, OpenD CLI for MooMoo is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenD CLI for MooMoo support?

OpenD CLI for MooMoo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenD CLI for MooMoo?

It is built and maintained by oscraters (@oscraters); the current version is v1.0.1.

More Skills