Skillv0.1.0

ClawScan security

Spot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 3:17 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match a Binance Spot client, but the manifest is inconsistent — it omits declaring the required API key/secret and expected binaries (curl/openssl), which is a notable mismatch you should address before trusting it with real credentials.
Guidance: This skill appears to be a straightforward Binance Spot API instruction set, but its manifest is incomplete. Before installing or using it: (1) don't provide your mainnet API key/secret until the author fixes the manifest to explicitly declare required credentials and binaries; (2) prefer creating a testnet key or a restricted mainnet key (trading-only, withdrawals disabled, IP whitelist) and test there first; (3) ask the publisher to add required env vars (e.g., BINANCE_API_KEY, BINANCE_SECRET) and to document how/where keys are stored or transmitted; (4) confirm that the agent will not log or transmit keys to third-party endpoints and that keys are not persisted by the skill; (5) if you must proceed, rotate keys after testing. If the author cannot clarify why the manifest omits credentials/binaries, treat the skill as untrusted for real funds.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly describes authenticated Binance Spot requests that require an API key and secret. However the registry metadata declares no required environment variables, no primary credential, and no required binaries. A Binance trading skill would reasonably declare at least the API key and secret (or a primaryEnv) and note dependencies such as curl/openssl or a HTTP client. This mismatch is incoherent.
Instruction Scope: noteThe instructions are focused on Binance endpoints and include examples for signing requests and sending them (curl + openssl examples). They do not instruct reading unrelated local files or exfiltrating data to other endpoints. That said, because the skill is instruction-only, the agent will need to collect API credentials at runtime (not declared in the manifest), which may lead to ad-hoc handling of secrets unless constrained.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low installation risk. Nothing is downloaded or written to disk by the skill itself.
Credentials: concernAuthenticated endpoints require an API key and secret; the SKILL.md and references explicitly describe using them, yet the manifest lists no required env vars or primary credential. Additionally, examples rely on curl and openssl but those binaries are not declared. The absence of declared credentials and binaries is disproportionate to the skill's needs and reduces transparency about where secrets are supplied or stored.
Persistence & Privilege: okThe skill does not request always:true and is not installing persistent components. It is user-invocable and can be invoked autonomously (platform default), which is expected. No evidence it modifies other skills or system-wide settings.