ClawHub

Shadow Binance Bot

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Binance analysis skill that uses sensitive Binance credentials but does not place trades, withdraw funds, persist in the background, or send data to unexpected services.

Install only if you are comfortable letting the skill read Binance balances and trade history. Use a read-only Binance API key, disable trading and withdrawals, restrict the key by IP where possible, prefer environment variables over config.env, and treat all strategy simulations as educational estimates rather than trading advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The simulated PnL formula adds losses as positive contributions instead of subtracting them, which can materially overstate profitability and mislead users into believing a strategy is safer or more profitable than it is. In a trading-analysis skill, this is dangerous because users may act on distorted performance projections and take inappropriate financial risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This reduced-trading simulation repeats the same arithmetic flaw by adding loss amounts rather than subtracting them, producing inflated or inverted results. Because the function presents the output as a realistic improvement estimate, users could be nudged toward risky trading decisions based on false analytics.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The DCA simulation claims reduced losses, but it multiplies the loss value and adds it to PnL, which can incorrectly increase reported returns if avgLoss is positive-coded. This creates misleading performance claims for a speculative strategy and may encourage users to adopt riskier behavior under false assumptions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to connect a Binance account and retrieve trading history, and it explicitly integrates AI/LLM components, but it does not clearly disclose what account/trade data may be transmitted, stored, or exposed to third-party services. In a finance-related skill, this omission is risky because trade history, balances, and API credentials are sensitive, and users may not understand the privacy and security implications of enabling the integration.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code generates strategy recommendations and improvement claims for DCA and related trading approaches without clearly warning that the outputs are hypothetical, simplified, and not financial advice. In a trading context, this omission increases the chance that users will overtrust simulated results, especially when the same file already contains misleading PnL logic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal