ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Algo

Binance Algo request using the Binance API. Authentication requires API key and secret key.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 40 · 0 current installs · 0 all-time installs
by@binance-skills-hub
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires an API key and secret key for authenticated Binance endpoints, but the registry metadata lists no required environment variables or primary credential. A Binance trading skill legitimately needs API credentials, so the metadata omission is an incoherence that may hide how secrets will be provided or stored.
!
Instruction Scope
The instructions ask the agent to request credentials via an uploaded file and to store new accounts in a local TOOLS.md file. They also describe multiple signing methods (HMAC SHA256, RSA, Ed25519) and example shell snippets that reference secret material. Directives to accept files containing keys and to persist them to a plaintext-marked TOOLS.md broaden the skill's scope to handling and storing sensitive secrets.
Install Mechanism
This is an instruction-only skill with no install spec or code files to execute. That minimizes disk-write/install risk, but the runtime instructions themselves still describe file I/O and curl/openssl usage.
!
Credentials
The skill reasonably needs Binance API credentials, but the registry metadata does not declare them. The SKILL.md also suggests accepting private-key based signing (RSA/Ed25519) in addition to HMAC secrets, which would require more sensitive material than a typical Binance secret key. The skill's guidance to store credentials in TOOLS.md implies writing secrets to disk in plaintext unless the agent/platform encrypts that file — that is disproportionate for a simple API integration unless explicit secure storage is used.
Persistence & Privilege
The skill does not request 'always' or elevated platform privileges, but it instructs the agent to persist account entries into TOOLS.md and to request files containing keys. Persisting secrets into a project or config file is a persistence action that increases risk if the file is stored unencrypted or in version control.
What to consider before installing
This skill looks like a legitimate Binance trading integration, but there are important mismatches and risky instructions you should address before installing: - Metadata vs. instructions: The registry metadata claims no required credentials, but the SKILL.md clearly requires an API key and secret (and even suggests private-key signing). Confirm with the publisher how credentials are expected to be supplied and why metadata omits them. - Secret handling: The skill tells the agent to accept a file with keys and to store accounts in TOOLS.md. Do NOT provide real API secrets unless you trust the author and understand where and how the secrets will be stored (are they encrypted? will they be committed to version control?). Prefer secure secret storage or environment variables managed by your platform. - Signing methods: Binance normally uses HMAC SHA256. The SKILL.md's RSA/Ed25519 examples imply the skill might request private keys — avoid supplying private keys unless you explicitly need that signing mode and understand the consequences. - Transaction confirmation: The skill claims it will ask you to type "CONFIRM" before mainnet transactions — test that this confirmation actually occurs before performing any trade. - Vet the publisher: There is no homepage and the owner ID is an opaque string. If you plan to use this with real funds, get additional assurance (contact, repository, or official Binance-sourced plugin) and consider using limited-permission API keys (no withdrawals) and IP whitelisting. If you cannot verify these points, treat installation as risky and avoid giving live API secrets or private keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972c3e52msxbq8yc4andx835d838tr0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Binance Algo Skill

Algo request on Binance using authenticated API endpoints. Requires API key and secret key for certain endpoints. Return the result in JSON format.

Quick Reference

EndpointDescriptionRequiredOptionalAuthentication
/sapi/v1/algo/futures/order (DELETE)Cancel Algo Order(TRADE)algoIdrecvWindowYes
/sapi/v1/algo/futures/openOrders (GET)Query Current Algo Open Orders(USER_DATA)NonerecvWindowYes
/sapi/v1/algo/futures/historicalOrders (GET)Query Historical Algo Orders(USER_DATA)Nonesymbol, side, startTime, endTime, page, pageSize, recvWindowYes
/sapi/v1/algo/futures/subOrders (GET)Query Sub Orders(USER_DATA)algoIdpage, pageSize, recvWindowYes
/sapi/v1/algo/futures/newOrderTwap (POST)Time-Weighted Average Price(Twap) New Order(TRADE)symbol, side, quantity, durationpositionSide, clientAlgoId, reduceOnly, limitPrice, recvWindowYes
/sapi/v1/algo/futures/newOrderVp (POST)Volume Participation(VP) New Order (TRADE)symbol, side, quantity, urgencypositionSide, clientAlgoId, reduceOnly, limitPrice, recvWindowYes
/sapi/v1/algo/spot/order (DELETE)Cancel Algo Order(TRADE)algoIdrecvWindowYes
/sapi/v1/algo/spot/openOrders (GET)Query Current Algo Open Orders(USER_DATA)NonerecvWindowYes
/sapi/v1/algo/spot/historicalOrders (GET)Query Historical Algo Orders(USER_DATA)Nonesymbol, side, startTime, endTime, page, pageSize, recvWindowYes
/sapi/v1/algo/spot/subOrders (GET)Query Sub Orders(USER_DATA)algoIdpage, pageSize, recvWindowYes
/sapi/v1/algo/spot/newOrderTwap (POST)Time-Weighted Average Price(Twap) New Order(TRADE)symbol, side, quantity, durationclientAlgoId, limitPriceYes

Parameters

Common Parameters

  • algoId: eg. 14511 (e.g., 1)
  • recvWindow: (e.g., 5000)
  • symbol: Trading symbol eg. BTCUSDT (e.g., BTCUSDT)
  • side: BUY or SELL (e.g., BUY)
  • startTime: in milliseconds eg.1641522717552 (e.g., 1623319461670)
  • endTime: in milliseconds eg.1641522526562 (e.g., 1641782889000)
  • page: Default is 1 (e.g., 1)
  • pageSize: MIN 1, MAX 100; Default 100 (e.g., 100)
  • symbol: Trading symbol eg. BTCUSDT (e.g., BTCUSDT)
  • side: Trading side ( BUY or SELL ) (e.g., BUY)
  • positionSide: Default BOTH for One-way Mode ; LONG or SHORT for Hedge Mode. It must be sent in Hedge Mode. (e.g., BOTH)
  • quantity: Quantity of base asset; Maximum notional per order is 200k, 2mm or 10mm, depending on symbol. Please reduce your size if you order is above the maximum notional per order. (e.g., 1.0)
  • duration: Duration for TWAP orders in seconds. [300, 86400] (e.g., 5000)
  • clientAlgoId: A unique id among Algo orders (length should be 32 characters), If it is not sent, we will give default value (e.g., 1)
  • reduceOnly: "true" or "false". Default "false"; Cannot be sent in Hedge Mode; Cannot be sent when you open a position
  • limitPrice: Limit price of the order; If it is not sent, will place order by market price by default (e.g., 1.0)
  • urgency: Represent the relative speed of the current execution; ENUM: LOW, MEDIUM, HIGH (e.g., LOW)

Authentication

For endpoints that require authentication, you will need to provide Binance API credentials. Required credentials:

  • apiKey: Your Binance API key (for header)
  • secretKey: Your Binance API secret (for signing)

Base URLs:

Security

Share Credentials

Users can provide Binance API credentials by sending a file where the content is in the following format:

abc123...xyz
secret123...key

Never Disclose API Key and Secret

Never disclose the location of the API key and secret file.

Never send the API key and secret to any website other than Mainnet and Testnet.

Never Display Full Secrets

When showing credentials to users:

  • API Key: Show first 5 + last 4 characters: su1Qc...8akf
  • Secret Key: Always mask, show only last 5: ***...aws1

Example response when asked for credentials: Account: main API Key: su1Qc...8akf Secret: ***...aws1

Listing Accounts

When listing accounts, show names and environment only — never keys: Binance Accounts:

  • main (Mainnet)
  • futures-keys (Mainnet)

Transactions in Mainnet

When performing transactions in mainnet, always confirm with the user before proceeding by asking them to write "CONFIRM" to proceed.

Binance Accounts

main

  • API Key: your_mainnet_api_key
  • Secret: your_mainnet_secret

TOOLS.md Structure

## Binance Accounts

### main
- API Key: abc123...xyz
- Secret: secret123...key
- Description: Primary trading account

### futures-keys
- API Key: futures789...def
- Secret: futuressecret...uvw
- Description: Futures trading account

Agent Behavior

  1. Credentials requested: Mask secrets (show last 5 chars only)
  2. Listing accounts: Show names and environment, never keys
  3. Account selection: Ask if ambiguous, default to main
  4. When doing a transaction in mainnet, confirm with user before by asking to write "CONFIRM" to proceed
  5. New credentials: Prompt for name, environment, signing mode

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Store in TOOLS.md with masked display confirmation

Signing Requests

For trading endpoints that require a signature:

  1. Build query string with all parameters, including the timestamp (Unix ms).
  2. Percent-encode the parameters using UTF-8 according to RFC 3986.
  3. Sign query string with secretKey using HMAC SHA256, RSA, or Ed25519 (depending on the account configuration).
  4. Append signature to query string.
  5. Include X-MBX-APIKEY header.

Otherwise, do not perform steps 3–5.

User Agent Header

Include User-Agent header with the following string: binance-algo/1.0.0 (Skill)

See references/authentication.md for implementation details.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…