ClawHub

Spot

v0.1.0

Binance Spot request using the Binance API. Authentication requires API key and secret key. Supports testnet and mainnet.

0· 286·6 current·6 all-time
by@awessh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly describes authenticated Binance Spot requests that require an API key and secret. However the registry metadata declares no required environment variables, no primary credential, and no required binaries. A Binance trading skill would reasonably declare at least the API key and secret (or a primaryEnv) and note dependencies such as curl/openssl or a HTTP client. This mismatch is incoherent.
Instruction Scope
The instructions are focused on Binance endpoints and include examples for signing requests and sending them (curl + openssl examples). They do not instruct reading unrelated local files or exfiltrating data to other endpoints. That said, because the skill is instruction-only, the agent will need to collect API credentials at runtime (not declared in the manifest), which may lead to ad-hoc handling of secrets unless constrained.
Install Mechanism
Instruction-only skill with no install spec and no code files — low installation risk. Nothing is downloaded or written to disk by the skill itself.
!
Credentials
Authenticated endpoints require an API key and secret; the SKILL.md and references explicitly describe using them, yet the manifest lists no required env vars or primary credential. Additionally, examples rely on curl and openssl but those binaries are not declared. The absence of declared credentials and binaries is disproportionate to the skill's needs and reduces transparency about where secrets are supplied or stored.
Persistence & Privilege
The skill does not request always:true and is not installing persistent components. It is user-invocable and can be invoked autonomously (platform default), which is expected. No evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward Binance Spot API instruction set, but its manifest is incomplete. Before installing or using it: (1) don't provide your mainnet API key/secret until the author fixes the manifest to explicitly declare required credentials and binaries; (2) prefer creating a testnet key or a restricted mainnet key (trading-only, withdrawals disabled, IP whitelist) and test there first; (3) ask the publisher to add required env vars (e.g., BINANCE_API_KEY, BINANCE_SECRET) and to document how/where keys are stored or transmitted; (4) confirm that the agent will not log or transmit keys to third-party endpoints and that keys are not persisted by the skill; (5) if you must proceed, rotate keys after testing. If the author cannot clarify why the manifest omits credentials/binaries, treat the skill as untrusted for real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97517nd7sqxy92pxtkqhw0p9s82erd1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments