Back to skill

Security audit

ChoiGPT Binance Trading Bot

Security checks across malware telemetry and agentic risk

Overview

This is a real Binance futures trading bot, but it can place leveraged live trades without strong confirmation and under-discloses sending account context to Google Gemini.

Install only if you are prepared to audit and operate a real-money Binance futures bot. Use restricted no-withdrawal API keys, enable testnet or dry-run first, remove the hardcoded Google key path, decide whether Gemini and Telegram should receive account/trade details, and add explicit confirmations or hard limits before allowing live automated trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code sends prompts to Google's Gemini API and, elsewhere in the module, those prompts can include conversation history and real account context. Even if networked AI is part of the feature, the implementation lacks visible minimization, consent, or clear boundaries on what data may leave the system, creating a real data-exposure risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
A concrete Google API key is hardcoded as a fallback value in source code. Hardcoded secrets are easily leaked through source control, logs, backups, or redistribution and can be abused to access the vendor account, incur charges, or pivot into related services.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function is described as generating a contextual chat response, but its behavior includes packaging sensitive account state and prior chat messages for external model processing. This mismatch can mislead reviewers and operators, increasing the chance of silent data egress in production.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file presents itself as a data collection module, but it also contains live trading, leverage changes, margin-mode changes, and order-cancellation logic. That mismatch is dangerous because an integrator may import or authorize this component expecting read-only market data behavior while actually enabling account-mutating operations against a live Binance futures account.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The position sizing function signature and documentation imply risk-based sizing using entry price, stop loss, leverage, and risk percentage, but the implementation ignores stop_loss and risk_pct and instead uses a fixed-margin model. This can cause users or higher-level agents to assume trades are capped by risk when they are not, leading to oversized positions and unexpected liquidation or loss exposure.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file header describes a live automated trading bot, but the implementation also ingests Telegram channel consensus and uses it to influence entry decisions. That hidden behavioral dependency changes the trust model of the system: trades can be indirectly shaped by external, potentially manipulated signals without clear disclosure in the primary module description.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code warns that integrated execution should use a different entrypoint and that duplicate execution can cause order conflicts, yet the application still exposes direct live trading from this file. That mismatch increases the chance an operator will launch real trading from the wrong interface, causing unintended orders or duplicate automated trading activity.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The general AI chat path automatically injects live account balance, available funds, and open-position performance into model conversations regardless of the user's request. This creates unnecessary exposure of sensitive financial data to the AI layer and any upstream model/provider, increasing confidentiality and privacy risk beyond the user's intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly documents a live trading mode that uses real assets but does not present a clear, prominent warning about the risk of financial loss, liquidation, exchange-side execution behavior, or the irreversibility of automated trades. In the context of a Binance futures trading bot, this omission is materially risky because users may invoke live mode directly from the documentation without understanding leverage, volatility, or automation failure modes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The module constructs prompts containing balances, available funds, open positions, win rate, trade history, and cycle data, then sends them to an external AI provider. Sending financial/account telemetry to a third party without any visible notice, consent flow, or masking materially increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The function writes PNG bytes to a caller-controlled save_path without any validation, restriction, or disclosure. If untrusted input can reach this parameter, an attacker could overwrite arbitrary files writable by the process, causing data loss, defacement, or abuse of predictable filesystem locations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The module directly executes destructive financial actions such as placing orders, setting leverage, switching margin type, and canceling orders with no explicit confirmation gate, user acknowledgement, or safety interlock. In a skill or agent context, this is especially dangerous because autonomous or accidental invocation can immediately create or alter leveraged futures positions and realize financial loss.

Missing User Warnings

High
Confidence
98% confidence
Finding
The bot enters an always-on loop, analyzes markets, and can place real exchange orders automatically when AUTO_TRADE_ENABLED is set, without any human approval step or strong safety interlock. In a live trading context this is dangerous because configuration error, strategy failure, compromised dependencies, or manipulated inputs can immediately translate into financial loss on a real account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code transmits trading events and account-related information to Telegram, including balances, position status, PnL, and trade details, without any in-file consent, minimization, or redaction controls. If the bot token, chat configuration, or Telegram destination is wrong or compromised, sensitive financial telemetry is exfiltrated to a third party.

Missing User Warnings

High
Confidence
98% confidence
Finding
The CLI defaults to mode='live', and the live path immediately starts an automated trading bot with no explicit confirmation or dry-run safeguard. In a trading context, this is dangerous because simply running the script can place real market activity, potentially leading to financial loss if credentials and production settings are present.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code places live trading orders, sets leverage, and configures stop-loss/take-profit automatically once strategy conditions are met, without any explicit user confirmation, approval workflow, or immediate pre-trade warning in this file. In a trading context, that is materially dangerous because a faulty strategy signal, compromised dependency, or unexpected market condition can trigger real financial loss with no human-in-the-loop safeguard.

Missing User Warnings

High
Confidence
98% confidence
Finding
Analysis requests can directly trigger live auto-trading when auto-trade is enabled and confidence exceeds a threshold, without an explicit confirmation step at the moment of execution. A user asking for chart analysis may unintentionally cause real market orders, which is especially dangerous in a chat interface where intent can be ambiguous or misclassified.

Missing User Warnings

High
Confidence
95% confidence
Finding
The auto-trade toggle flips live trading state immediately with no confirmation, cooldown, or risk acknowledgment. If triggered accidentally or by an authorized but inattentive user, the system can move from passive analysis to real-money execution instantly, materially changing operational risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code transmits trade entry details to Telegram when notify_telegram is enabled, but this file provides no explicit consent, disclosure, redaction, or policy control around external data sharing. Trade metadata can reveal positions, strategy rationale, leverage, and risk posture, which may expose sensitive financial information if the Telegram destination is misconfigured, compromised, or not expected by the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends completed trade exit information to Telegram without any visible authorization or disclosure boundary in this module. Exit timing and PnL data are sensitive trading records that could leak account behavior or strategy performance to unintended recipients if Telegram notifications are enabled by default or routed insecurely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Signal effectiveness summaries are exported to Telegram, which can disclose aggregate strategy performance and model behavior to external parties. In a live trading context, this is operationally sensitive information that could aid reverse engineering of the trading system or expose confidential performance data if shared without explicit user awareness.

Ssd 2

Medium
Confidence
96% confidence
Finding
Untrusted Telegram message text is inserted directly into the LLM prompt, so a crafted message can contain prompt-injection instructions that cause the model to ignore the extraction task, emit malformed JSON, or fabricate fields. In this skill context, the model output is used to classify and store trading signals, so manipulated outputs can poison downstream data and suppress or falsify signal extraction.

Ssd 3

High
Confidence
98% confidence
Finding
The bot sends sensitive account balance and open-position data into AI conversations regardless of prompt relevance, which is an unnecessary external disclosure of financial information. In the context of a Telegram trading bot, this is more dangerous because the data is live, account-specific, and tied to trading decisions, increasing both privacy and operational risk if leaked, logged, or mishandled by downstream services.

External Transmission

Medium
Category
Data Exfiltration
Content
return
        try:
            url = f"https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage"
            resp = requests.post(url, json={
                'chat_id': TELEGRAM_CHAT_ID,
                'text': message,
                'parse_mode': 'HTML'
Confidence
96% confidence
Finding
requests.post(url, json=

External Transmission

Medium
Category
Data Exfiltration
Content
if not ENABLE_TELEGRAM or not TELEGRAM_BOT_TOKEN:
            return
        try:
            url = f"https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage"
            resp = requests.post(url, json={
                'chat_id': TELEGRAM_CHAT_ID,
                'text': message,
Confidence
94% confidence
Finding
https://api.telegram.org/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.