← Back to Skills Marketplace
raymondxu813-finance

Leapcat Skills

by raymondxu813-finance · GitHub ↗ · v0.1.1 · MIT-0
cross-platform ⚠ suspicious
92
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install leapcat
Description
Trade stocks, subscribe to IPOs, manage wallet, complete KYC, and access real-time market data via AI agent. 7 skills for the Leapcat platform.
README (SKILL.md)

Leapcat Skills

A comprehensive set of 7 AI agent skills for the Leapcat platform. All commands use npx [email protected] — no global install needed, just Node.js 18+.

Available Skills

leapcat-auth

Login, logout, session management, token refresh, re-authentication, and trade password operations.

leapcat-kyc

KYC identity verification including document upload, personal info submission, agreements, and status polling.

leapcat-ipo

Browse IPO projects, estimate costs, subscribe, cancel, and monitor subscription status.

leapcat-trading

Place buy/sell stock orders (limit/market), monitor order status, and cancel pending orders.

leapcat-wallet

Check balance, get deposit address, initiate withdrawals, view debt status, and fund activity history.

leapcat-portfolio

View portfolio overview and individual stock positions with unrealized P&L.

leapcat-market

Real-time stock quotes, K-line charts, market indices, stock search, exchange rates, and fee schedules. No authentication required.

Quick Start

Check market data (no login needed):

npx [email protected] market quote --symbol 00700.HK --json
npx [email protected] market indices --json

Login to access authenticated features:

npx [email protected] auth login --email [email protected] --send-only --json
npx [email protected] auth login --email [email protected] --otp-id \x3Cid> --otp-code \x3Ccode> --json

Then use any skill:

npx [email protected] wallet balance --json
npx [email protected] portfolio positions --json
npx [email protected] ipo projects --json

Notes

  • All commands output JSON when using the --json flag
  • Session tokens are stored locally at ~/.config/leapcat/tokens.json
  • Access tokens auto-refresh; re-login only needed after 30 days of inactivity
  • For sensitive operations (withdrawals), run npx [email protected] auth reauth --json first

Security & Provenance

  • Source code: github.com/leapcat-ai/leapcat-skills
  • npm package: npmjs.com/package/leapcat
  • Version pinned: All commands use npx [email protected] (pinned, not @latest) to prevent supply-chain drift
  • Token storage: ~/.config/leapcat/tokens.json is created automatically after login; contains JWT access/refresh tokens, not user credentials
  • KYC documents: Only uploaded when the user explicitly provides file paths; the CLI does not scan or access local files automatically
  • No env vars required: Authentication is handled via email OTP, no API keys needed
Usage Guidance
This skill appears to be what it says (a CLI wrapper for Leapcat trading, KYC, wallet, and market data) but it relies on running 'npx [email protected]' at runtime. npx will fetch and execute package code from npm — even though the version is pinned, the package itself is not included here for review. Before installing/using: 1) Review the npm package and its GitHub repo (the SKILL.md points to them) to inspect the code that will run. 2) Avoid running CLI commands that expose sensitive local files unless you know what the command does; uploaded KYC documents and ~/.config/leapcat/tokens.json are sensitive. 3) Prefer installing the CLI into a controlled environment (sandbox, VM, or container) and inspect the package contents, or vendor the package after auditing, instead of having an agent run npx directly. 4) If you will let the agent invoke this skill autonomously, be aware the agent could run any npx command the SKILL.md permits; limit autonomous usage or review logs/commands. Additional info that would change this assessment: the verified npm package contents or a full package tarball/Git commit hash matching the claimed repo (so the runtime code can be audited).
Capability Analysis
Type: OpenClaw Skill Name: leapcat Version: 0.1.1 The Leapcat skill bundle provides a comprehensive interface for a financial platform, enabling an AI agent to perform high-risk operations including stock trading, KYC document uploads, and wallet withdrawals. It relies on shell execution via 'npx [email protected]' and manages sensitive session tokens in '~/.config/leapcat/tokens.json'. While the instructions in SKILL.md and the sub-skill files are consistent with the stated purpose of the platform (leapcat.ai), the inherent risks associated with automated financial transactions and local file access for identity verification meet the criteria for a suspicious classification.
Capability Assessment
Purpose & Capability
Name, description, and the seven sub-skills (auth, kyc, market, trading, wallet, portfolio, ipo) match the commands shown. Required capabilities (Node.js, auth via email/OTP, local token storage) are consistent with a trading/finance CLI.
Instruction Scope
Runtime instructions are specific: they tell the agent to run npx [email protected] commands. The docs only upload local files when the user supplies explicit file paths, and they name the local token file (~/.config/leapcat/tokens.json). The instructions do not directly tell the agent to scan arbitrary local files, but they do cause the agent to execute CLI commands that may read or write those paths if invoked.
Install Mechanism
There is no declared install spec, but the SKILL.md requires running npx [email protected] which will fetch and execute code from the npm registry at runtime. Although the version is pinned (0.1.1), npx still runs external package code when invoked — this is a moderate supply-chain risk because the package code is not included for review here.
Credentials
The skill requests no environment variables (authentication uses email/OTP) which is proportionate. However the CLI stores JWT access/refresh tokens at ~/.config/leapcat/tokens.json; any agent-run commands could access that file. The skill does not ask for unrelated credentials, which is good, but the local token file is sensitive and worth protecting.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes. The only persistent artifact named is the CLI's token file in the user's config directory; that behavior is expected for a remote-account CLI.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install leapcat
  3. After installation, invoke the skill by name or use /leapcat
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Updated all quick start examples and documentation to use the version-pinned command `npx [email protected]` instead of `npx leapcat@latest` - Added `homepage` field and a dedicated "Security & Provenance" section with links to GitHub and npm package, and details about version pinning and token/document handling - Clarified that commands are now version-pinned to improve security and prevent supply-chain drift - Added notes about KYC document uploads and authentication handling (no user credentials or env vars required)
v0.1.0
Initial release: 7 AI agent skills for Leapcat platform. Skills: auth, kyc, ipo, trading, wallet, portfolio, market. All commands use npx leapcat@latest — no global install needed. Compatible with Cursor, Claude Code, Codex, OpenClaw, and 40+ AI agents.
Metadata
Slug leapcat
Version 0.1.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Leapcat Skills?

Trade stocks, subscribe to IPOs, manage wallet, complete KYC, and access real-time market data via AI agent. 7 skills for the Leapcat platform. It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install Leapcat Skills?

Run "/install leapcat" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Leapcat Skills free?

Yes, Leapcat Skills is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Leapcat Skills support?

Leapcat Skills is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Leapcat Skills?

It is built and maintained by raymondxu813-finance (@raymondxu813-finance); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments