Is genkin-he/longbridge-openapi safe?

https://github.com/openclaw/skills/tree/main/skills/genkin-he/longbridge-openapi

78
CAUTION

The Longbridge OpenAPI skill is technically clean with no prompt injection, no malicious code, and no evidence of unauthorized data exfiltration — canary files were read exclusively by the oathe monitoring framework and remain intact. However, the skill presents meaningful inherent risk: it installs a compiled Rust FFI pip package, exposes complete financial account access (balances, positions, trade history), and provides unrestricted live trading capabilities with no code-level confirmation gate, meaning a manipulated agent could place irreversible real-money trades. The .clawhub/lock.json anomaly indicates careless packaging from a non-sterile developer environment.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (7)

HIGH Unrestricted live trading with no code-level confirmation gate -42

The submit_order tool in skill.py passes parameters directly to Longbridge's TradeContext with no mandatory user confirmation step enforced in code. The recommendation to confirm orders appears only in SKILL.md documentation and is advisory only. An adversarially prompted agent or agent error could place real trades immediately and irreversibly.

MEDIUM Rust FFI pip package installs compiled native binary -28

longbridge>=0.2.77 is a Python SDK backed by a Rust FFI implementation. Installing it via pip adds a compiled native binary to the execution environment that cannot be fully analyzed through static review. Pip packages may also include preinstall/postinstall scripts that execute at install time.

MEDIUM Financial account data transmitted to external Longbridge API by design -20

The skill's core functionality involves transmitting sensitive financial data — account balances, portfolio positions, order history, and trade instructions — to Longbridge's external REST and WebSocket endpoints. While this is the stated purpose, any agent with this skill active has persistent access to read and act on the user's complete financial state.

LOW Lock file committed from non-sterile developer environment -15

.clawhub/lock.json contains a reference to the academic-research-hub skill with an installation timestamp, indicating this file was committed from the skill developer's personal working environment rather than a clean repository state. This is a hygiene issue that may indicate careless development practices but does not represent active malicious behavior.

LOW Multiple canary file access events observed post-installation -20

All six canary honeypot files were accessed at timestamp 1771911784.368 (after installation completed). The simultaneous millisecond-level access to all six files is consistent with oathe's periodic batch integrity check rather than targeted malicious reads, and the official integrity report confirms no files were modified or exfiltrated.

INFO No prompt injection or adversarial instructions detected -10

SKILL.md and SKILL_ZH.md contain no adversarial instructions, system prompt override attempts, hidden unicode, markdown obfuscation, or chaining instructions. Content is standard brokerage API documentation with appropriate risk disclaimers.

INFO Canary file accesses attributed to audit framework, not skill -12

Canary file reads at multiple timestamps are consistent with oathe's monitoring framework performing periodic integrity baseline checks. The simultaneous access pattern and official integrity confirmation support this attribution.