ClawHub

Binance Agentic Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Binance wallet-control skill, but it needs review because it can perform real financial actions and its preflight flow allows global CLI installation or upgrades without clear user consent.

Install only if you intend to let this skill control a Binance Web3 wallet through the baw CLI. Require explicit approval before any npm install or upgrade, verify every recipient address, token contract, amount, chain, slippage, fee, quote, and payment recipient, and use Binance app limits/sign-out controls to constrain the session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The activation trigger is overly broad because it includes the catch-all phrase "or any on-chain wallet operation," which can cause the skill to activate for a wide range of sensitive blockchain actions beyond narrowly scoped intents. In a wallet-managing skill that can transfer funds, trade, and sign payments, over-activation increases the chance the agent routes users into high-risk workflows unexpectedly or without sufficient contextual safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises irreversible financial operations such as token transfers, swaps, limit orders, prediction trades, and payment signing without an upfront risk warning in the user-facing description. Because this skill is designed for real wallet operations, users may engage with dangerous actions before being clearly informed about loss risk, settlement finality, slippage, or fraud exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `market-order swap` documentation describes how to execute an on-chain token swap but does not place a clear, upfront warning near the command that the action can irreversibly move funds, incur fees, and result in losses from slippage, liquidity failure, or adverse execution. In a wallet/trading skill, this omission is safety-relevant because an agent may present or trigger the operation as routine, causing users to underestimate that submission can lead to real financial consequences even before final confirmation is checked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`prediction trade cancel` is a state-changing operation that can revoke open orders, potentially causing users to miss intended fills or lose trading opportunities. Unlike the documented two-step confirmation flow for placing orders, this section lacks an explicit requirement to confirm user intent before executing cancellation, which increases the risk of accidental or prompt-induced destructive actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`prediction trade redeem` changes on-chain/account state by claiming payouts, yet the documentation does not instruct the agent to obtain explicit user approval first. Even though redeeming winnings is usually beneficial, it can still trigger unintended transactions, fees, tax/reporting consequences, or claims on the wrong chain/token set if invoked automatically.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The file instructs the agent to run preflight checks 'at the start of each conversation' without clearly scoping that behavior to only wallet-related invocations of this skill. In an agent environment, this can cause unintended command execution or side effects in unrelated conversations, expanding the skill's activation surface and increasing the chance of unnecessary tool use or package-management actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions authorize automatic installation or upgrade of a global CLI package via npm when the tool is missing or outdated, without requiring an explicit user warning and consent for system modification. This is dangerous because it permits unprompted changes to the host environment, may introduce supply-chain risk, and could alter system state during routine conversations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explains how to execute a live token transfer but does not clearly warn, before the command is presented, that running it will initiate a real on-chain asset movement that may be irreversible. In an agentic wallet context, this increases the risk of users authorizing unintended transfers or misunderstanding examples as harmless demonstrations, especially because blockchain transfers generally cannot be reversed once confirmed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal