Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Binance Event Contract Data Fetcher
v1.0.0Fetches 100% accurate, real-time Binance BTCUSDT and ETHUSDT Event Contract data every minute, including K-lines, liquidity, prices, and contract rules.
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (fetch Binance BTCUSDT/ETHUSDT event contract market data) aligns with the instructions to call Binance REST/WebSocket public endpoints; public market data usually does not require credentials, so the lack of required env vars is reasonable. However, the SKILL.md asserts 100% accuracy and a 1-second fetch SLA every minute — unrealistic guarantees that don't match normal network/API behavior.
Instruction Scope
The instructions tell the agent to auto-start a cron task at agent startup, run every minute, cache results, push alerts, and "sync to all related Skills". Those behaviors imply persistent scheduling, local storage, and cross-skill communication, but SKILL.md provides no details about where cached data is stored, how alerts are delivered, or what "sync" entails (call other skills, write their config, or post to a central queue). That broad scope is not constrained and could lead to unexpected access to other skills or local data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That is low-risk from an installation standpoint. (The README shows an npx install command, but the registry metadata lists no install spec — the listed command is documentation only.)
Credentials
The skill declares no required environment variables or credentials, which is plausible for public-market reads. However, it also claims to "sync to all related Skills" and to "push alerts" without declaring any tokens, endpoints, or config paths for those operations. That is an inconsistency: cross-skill syncing or alerting typically requires declared channels/credentials or platform hooks.
Persistence & Privilege
Registry flags are standard (always:false, model-invocation allowed). But SKILL.md requires auto-run every minute after agent startup and persistent caching. It's unclear how the agent platform will grant the skill a persistent scheduler or storage; the skill asks for persistent runtime behavior without specifying required platform permissions. This mismatch should be clarified.
What to consider before installing
Before installing, ask the publisher for clarification on: (1) where cached data will be stored (filesystem path, DB, retention policy) and who can read it, (2) what "sync to all related Skills" actually does and whether it modifies other skills' configs or simply calls their public interfaces, (3) what alerting channel is used and whether any alert credentials are required, (4) exact Binance endpoints (REST vs futures vs index endpoints) and expected rate limits/WS connections, and (5) what safeguards prevent the skill from escalating to trading or accessing unrelated data. Prefer installing in a restricted environment that limits outbound network hosts to Binance domains, limits write access to a designated cache directory, and logs all automated fetches. If the publisher cannot provide these details, treat the skill as higher risk and avoid granting it persistent/scheduling privileges.Like a lobster shell, security has layers — review code before you run it.
binancevk97cdj90yrqvmsmxc3messa8jn835w94cryptovk97cdj90yrqvmsmxc3messa8jn835w94datavk97cdj90yrqvmsmxc3messa8jn835w94latestvk97cdj90yrqvmsmxc3messa8jn835w94
License
MIT-0
Free to use, modify, and redistribute. No attribution required.