longbridge

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFE
Full Analysis
  • [CREDENTIALS_SAFE]: The skill manages sensitive authentication data (App Key, Secret, and Access Token) using environment variables. It includes a helper function to load these from a local .env file, which is a standard practice for secure local configuration. No hardcoded secrets were detected.
  • [DYNAMIC_EXECUTION]: The skill uses dynamic module loading (__import__) to resolve the official SDK, which recently rebranded from longbridge to longport. This loading is restricted to a hardcoded list of package names and does not process untrusted strings, making it a safe use of dynamic imports for compatibility.
  • [EXTERNAL_DOWNLOADS]: The skill specifies a dependency on the longport package via standard package managers. This is the official library for the service and is used as intended for the skill's primary purpose.
  • [COMMAND_EXECUTION]: All user-provided arguments (symbols, quantities, prices) are validated and converted to strict types like float, int, or Decimal before being passed to the SDK. Market sides and order types are mapped through hardcoded dictionaries, preventing any form of command or argument injection.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 09:26 PM
Security Audit — agent-trust-hub — longbridge