← 返回 Skills 市场
oscraters

OpenD CLI for MooMoo

作者 oscraters · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
516
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install opend
功能描述
Agentic trading and market-data workflows for Futu OpenD (MooMoo/Futu OpenAPI), including OpenClaw-compatible secret-ref credential loading, account discover...
安全使用建议
This skill appears to do what it says: a local OpenD/Futu (MooMoo) CLI wrapper that supports secret-ref credential loading and simulated or live orders. Before installing or using with real money, do the following: - Inspect and run the code in a safe environment (SIMULATE remains the default) and exercise the simulated trading paths first. - Prefer OPEND_PASSWORD_SECRET_REF / gateway secret injection for hosted deployments; avoid setting MOOMOO_PASSWORD as a plain environment variable in hosted/shared environments. - Verify the registry metadata and packaging: the bundle and SKILL.md document secret env vars, but the registry metadata claimed none — ensure the published registry entry accurately lists the required secrets. - Carefully control OPEND_SDK_PATH: the code will insert that path into sys.path and import moomoo/futu from it. Only point OPEND_SDK_PATH at trusted SDK code; an attacker-controlled SDK path could execute arbitrary code on import. - setup_config.py writes config.key and config.enc locally (key file is written with mode 600). Treat these files as sensitive and move keys into a secret manager if used. - If you intend to run live trading (trd_env=REAL), require explicit user confirmation and validate unlock behavior; consider additional manual review or approval steps in any agent workflow that could invoke live orders. If you are unsure, run the provided smoke test (python3 scripts/release_smoke_test.py) and run the CLI with --help to confirm behavior, and keep live trading disabled until you have audited the environment and credential provisioning.
功能分析
Type: OpenClaw Skill Name: opend Version: 1.0.1 The skill contains a critical Remote Code Execution (RCE) vulnerability in `opend_core.py`. The `load_sdk()` function allows the `OPEND_SDK_PATH` environment variable to inject arbitrary paths into `sys.path`, enabling the loading and execution of untrusted Python modules if an attacker can control this variable. While `SKILL.md` and `README.md` warn users to only point this at trusted code, the underlying mechanism presents a significant security risk. Additionally, the skill supports legacy credential methods (`env`, `config`, `keyring`) that bypass OpenClaw's preferred secret management, though these are clearly documented as less secure compatibility paths. There is no evidence of intentional malicious behavior, but the RCE vulnerability makes it suspicious.
能力评估
Purpose & Capability
The name/description (OpenD CLI for MooMoo) aligns with the included Python CLI, core client, and credential helpers. The code interacts only with a local OpenD host via the moomoo/futu SDK and implements account discovery, snapshots, positions, and order placement as advertised. One mismatch: the registry metadata listed "Required env vars: none," while SKILL.md and the code document secret inputs (OPEND_PASSWORD_SECRET_REF, MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY); this appears to be a packaging/metadata oversight but does not change the functional purpose.
Instruction Scope
SKILL.md stays within the stated domain: it documents using the local OpenD host, credential methods, and safety defaults (SIMULATE). The instructions reference local files (config.enc, config.key) and env refs for credentials — which is expected for a trading wrapper. The guidance explicitly warns to use secret-ref injection for hosted use and to treat legacy paths as local-only. There are no instructions to read or transmit unrelated system data or to contact external endpoints beyond the SDK/OpenD local host.
Install Mechanism
No install spec is provided (instruction-only install), and all included code is plain Python. There are no remote download URLs or archive extraction steps in the bundle. The skill does recommend installing SDKs (moomoo or futu) and optional libraries (keyring, cryptography), which is proportionate to the functionality.
Credentials
The secrets and env vars documented in SKILL.md and used in code are proportional to a trading skill: OPEND_PASSWORD_SECRET_REF (preferred), MOOMOO_PASSWORD, MOOMOO_CONFIG_KEY, and runtime overrides (OPEND_HOST, OPEND_PORT, OPEND_SDK_PATH, etc.). The only concern is the registry metadata claiming no required env vars while the package clearly documents secret inputs — verify the registry entry before hosted deployment. No unrelated third-party credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk indicators here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install opend
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /opend 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Skill opend 1.0.1 – Adds OpenClaw secret-ref support and strengthens credential handling. - Added support for OpenClaw-compatible secret-ref credential loading. - Expanded documentation with clear instructions for secret management and source auditing. - setup_config.py no longer prints reusable keys on creation, improving local secret safety. - Introduced release checklist and registry metadata reference files. - Improved warnings and guidance around credential methods for both hosted and local use. - Other minor updates and clarifications in code and documentation.
v1.0.0
Initial release of the opend skill: agentic trading workflows for Futu OpenD (MooMoo/Futu OpenAPI). - Provides a unified Bash CLI (openclaw) for snapshot, account, position, and order operations. - Supports secure credential handling via environment variables, config, or keyring. - Defaults to simulated trading unless live is explicitly selected. - Designed for structured JSON output for downstream automation. - Backwards compatible: legacy scripts now delegate to the single structured interface.
元数据
Slug opend
版本 1.0.1
许可证
累计安装 1
当前安装数 1
历史版本数 2
常见问题

OpenD CLI for MooMoo 是什么?

Agentic trading and market-data workflows for Futu OpenD (MooMoo/Futu OpenAPI), including OpenClaw-compatible secret-ref credential loading, account discover... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 516 次。

如何安装 OpenD CLI for MooMoo?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install opend」即可一键安装,无需额外配置。

OpenD CLI for MooMoo 是免费的吗?

是的,OpenD CLI for MooMoo 完全免费(开源免费),可自由下载、安装和使用。

OpenD CLI for MooMoo 支持哪些平台?

OpenD CLI for MooMoo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 OpenD CLI for MooMoo?

由 oscraters(@oscraters)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论