← 返回 Skills 市场
Leapcat Skills
作者
raymondxu813-finance
· GitHub ↗
· v0.1.1
· MIT-0
92
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install leapcat
功能描述
Trade stocks, subscribe to IPOs, manage wallet, complete KYC, and access real-time market data via AI agent. 7 skills for the Leapcat platform.
使用说明 (SKILL.md)
Leapcat Skills
A comprehensive set of 7 AI agent skills for the Leapcat platform. All commands use npx [email protected] — no global install needed, just Node.js 18+.
Available Skills
leapcat-auth
Login, logout, session management, token refresh, re-authentication, and trade password operations.
leapcat-kyc
KYC identity verification including document upload, personal info submission, agreements, and status polling.
leapcat-ipo
Browse IPO projects, estimate costs, subscribe, cancel, and monitor subscription status.
leapcat-trading
Place buy/sell stock orders (limit/market), monitor order status, and cancel pending orders.
leapcat-wallet
Check balance, get deposit address, initiate withdrawals, view debt status, and fund activity history.
leapcat-portfolio
View portfolio overview and individual stock positions with unrealized P&L.
leapcat-market
Real-time stock quotes, K-line charts, market indices, stock search, exchange rates, and fee schedules. No authentication required.
Quick Start
Check market data (no login needed):
npx [email protected] market quote --symbol 00700.HK --json
npx [email protected] market indices --json
Login to access authenticated features:
npx [email protected] auth login --email [email protected] --send-only --json
npx [email protected] auth login --email [email protected] --otp-id \x3Cid> --otp-code \x3Ccode> --json
Then use any skill:
npx [email protected] wallet balance --json
npx [email protected] portfolio positions --json
npx [email protected] ipo projects --json
Notes
- All commands output JSON when using the
--jsonflag - Session tokens are stored locally at
~/.config/leapcat/tokens.json - Access tokens auto-refresh; re-login only needed after 30 days of inactivity
- For sensitive operations (withdrawals), run
npx [email protected] auth reauth --jsonfirst
Security & Provenance
- Source code: github.com/leapcat-ai/leapcat-skills
- npm package: npmjs.com/package/leapcat
- Version pinned: All commands use
npx [email protected](pinned, not @latest) to prevent supply-chain drift - Token storage:
~/.config/leapcat/tokens.jsonis created automatically after login; contains JWT access/refresh tokens, not user credentials - KYC documents: Only uploaded when the user explicitly provides file paths; the CLI does not scan or access local files automatically
- No env vars required: Authentication is handled via email OTP, no API keys needed
安全使用建议
This skill appears to be what it says (a CLI wrapper for Leapcat trading, KYC, wallet, and market data) but it relies on running 'npx [email protected]' at runtime. npx will fetch and execute package code from npm — even though the version is pinned, the package itself is not included here for review. Before installing/using: 1) Review the npm package and its GitHub repo (the SKILL.md points to them) to inspect the code that will run. 2) Avoid running CLI commands that expose sensitive local files unless you know what the command does; uploaded KYC documents and ~/.config/leapcat/tokens.json are sensitive. 3) Prefer installing the CLI into a controlled environment (sandbox, VM, or container) and inspect the package contents, or vendor the package after auditing, instead of having an agent run npx directly. 4) If you will let the agent invoke this skill autonomously, be aware the agent could run any npx command the SKILL.md permits; limit autonomous usage or review logs/commands. Additional info that would change this assessment: the verified npm package contents or a full package tarball/Git commit hash matching the claimed repo (so the runtime code can be audited).
功能分析
Type: OpenClaw Skill
Name: leapcat
Version: 0.1.1
The Leapcat skill bundle provides a comprehensive interface for a financial platform, enabling an AI agent to perform high-risk operations including stock trading, KYC document uploads, and wallet withdrawals. It relies on shell execution via 'npx [email protected]' and manages sensitive session tokens in '~/.config/leapcat/tokens.json'. While the instructions in SKILL.md and the sub-skill files are consistent with the stated purpose of the platform (leapcat.ai), the inherent risks associated with automated financial transactions and local file access for identity verification meet the criteria for a suspicious classification.
能力评估
Purpose & Capability
Name, description, and the seven sub-skills (auth, kyc, market, trading, wallet, portfolio, ipo) match the commands shown. Required capabilities (Node.js, auth via email/OTP, local token storage) are consistent with a trading/finance CLI.
Instruction Scope
Runtime instructions are specific: they tell the agent to run npx [email protected] commands. The docs only upload local files when the user supplies explicit file paths, and they name the local token file (~/.config/leapcat/tokens.json). The instructions do not directly tell the agent to scan arbitrary local files, but they do cause the agent to execute CLI commands that may read or write those paths if invoked.
Install Mechanism
There is no declared install spec, but the SKILL.md requires running npx [email protected] which will fetch and execute code from the npm registry at runtime. Although the version is pinned (0.1.1), npx still runs external package code when invoked — this is a moderate supply-chain risk because the package code is not included for review here.
Credentials
The skill requests no environment variables (authentication uses email/OTP) which is proportionate. However the CLI stores JWT access/refresh tokens at ~/.config/leapcat/tokens.json; any agent-run commands could access that file. The skill does not ask for unrelated credentials, which is good, but the local token file is sensitive and worth protecting.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes. The only persistent artifact named is the CLI's token file in the user's config directory; that behavior is expected for a remote-account CLI.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install leapcat - 安装完成后,直接呼叫该 Skill 的名称或使用
/leapcat触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
- Updated all quick start examples and documentation to use the version-pinned command `npx [email protected]` instead of `npx leapcat@latest`
- Added `homepage` field and a dedicated "Security & Provenance" section with links to GitHub and npm package, and details about version pinning and token/document handling
- Clarified that commands are now version-pinned to improve security and prevent supply-chain drift
- Added notes about KYC document uploads and authentication handling (no user credentials or env vars required)
v0.1.0
Initial release: 7 AI agent skills for Leapcat platform.
Skills: auth, kyc, ipo, trading, wallet, portfolio, market.
All commands use npx leapcat@latest — no global install needed.
Compatible with Cursor, Claude Code, Codex, OpenClaw, and 40+ AI agents.
元数据
常见问题
Leapcat Skills 是什么?
Trade stocks, subscribe to IPOs, manage wallet, complete KYC, and access real-time market data via AI agent. 7 skills for the Leapcat platform. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 Leapcat Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install leapcat」即可一键安装,无需额外配置。
Leapcat Skills 是免费的吗?
是的,Leapcat Skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Leapcat Skills 支持哪些平台?
Leapcat Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Leapcat Skills?
由 raymondxu813-finance(@raymondxu813-finance)开发并维护,当前版本 v0.1.1。
推荐 Skills