ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Alpha

Binance Alpha request using the Binance API. Authentication requires API key and secret key.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 52 · 0 current installs · 0 all-time installs
by@binance-skills-hub
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md requires a Binance API key and secret for authenticated endpoints, but the registry metadata declares no primary credential and no required env vars or config paths — that's an inconsistency. The package claims author 'Binance' but has no source or homepage and an unknown owner ID, which could indicate impersonation or sloppy metadata.
!
Instruction Scope
Runtime instructions ask the agent to accept credentials via an uploaded file and to store new accounts in TOOLS.md (persisting credentials to disk). Examples show signing with openssl and making curl requests. These instructions go beyond read-only queries: they direct the agent to store credentials and perform signed requests; the examples also pass secrets on the command line (process-list leakage risk).
Install Mechanism
No install spec and no code files beyond documentation — instruction-only skill has minimal install risk (nothing will be downloaded or executed automatically).
!
Credentials
Requesting only Binance API key/secret is proportionate for a Binance integration, but the skill fails to declare those credentials in metadata (no primaryEnv or required env vars). It also instructs users to provide credentials via uploaded files and to persist them in TOOLS.md, which is a high-risk storage practice if done in plaintext.
!
Persistence & Privilege
The skill is not marked 'always', but its instructions explicitly tell the agent to add credentials to TOOLS.md (persistent storage). Combined with normal autonomous invocation, persistent plaintext credentials increase blast radius if the agent or workspace is compromised. The skill does include a user confirmation step for mainnet transactions (good), but persistence/storage behavior is not represented in metadata.
What to consider before installing
This skill appears to implement Binance API signing and authenticated requests, but be cautious before installing or using it: - Metadata mismatch: the registry metadata does not declare API credentials even though SKILL.md requires them. Ask the publisher to clarify where and how credentials are declared and stored. - Verify publisher identity: the skill claims author 'Binance' but has no source/homepage and an unknown owner ID. Confirm authenticity (official Binance release or a trusted third party) before providing secrets. - Do not upload or store API secrets in plaintext TOOLS.md or in chat history. Prefer platform-provided secret storage (encrypted environment variables or a vault) or scoped testnet keys. - The examples pass secret keys on the command line (openssl -hmac 'secret'), which can leak via process listings — request a safer signing implementation that avoids exposing secrets in argv (use stdin, secure libraries, or SDKs). - If you must use it: supply only least-privilege API keys (no withdrawal permissions), enable IP whitelisting on the API key, and test on testnet first. Insist that the skill author provide clear documentation of where credentials are stored, who has access, and whether they are encrypted at rest. If the publisher cannot address these points, treat the skill as untrusted and do not provide real account credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97f0grnj8m8aak2wnn6w4jb0s8377hs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Binance Alpha Skill

Alpha request on Binance using authenticated API endpoints. Requires API key and secret key for certain endpoints. Return the result in JSON format.

Quick Reference

EndpointDescriptionRequiredOptionalAuthentication
/bapi/defi/v1/public/alpha-trade/ticker (GET)Ticker (24hr Price Statistics)symbolNoneNo
/bapi/defi/v1/public/alpha-trade/agg-trades (GET)Aggregated TradessymbolfromId, startTime, endTime, limitNo
/bapi/defi/v1/public/alpha-trade/get-exchange-info (GET)Get Exchange InfoNoneNoneNo
/bapi/defi/v1/public/alpha-trade/klines (GET)Klines (Candlestick Data)symbol, intervallimit, startTime, endTimeNo
/bapi/defi/v1/public/wallet-direct/buw/wallet/cex/alpha/all/token/list (GET)Token ListNoneNoneNo

Parameters

Common Parameters

  • symbol: e.g., "ALPHA_175USDT" – use token ID from Token List
  • fromId: starting trade ID to fetch from (e.g., 1)
  • startTime: start timestamp (milliseconds) (e.g., 1623319461670)
  • endTime: end timestamp (milliseconds) (e.g., 1641782889000)
  • limit: number of results to return (default 500, max 1000) (e.g., 500)
  • interval: e.g., "1h" – supported intervals: 1s, 15s, 1m, 3m, 5m, 15m, 30m, 1h, 2h, 4h, 6h, 8h, 12h, 1d, 3d, 1w, 1M

Authentication

For endpoints that require authentication, you will need to provide Binance API credentials. Required credentials:

  • apiKey: Your Binance API key (for header)
  • secretKey: Your Binance API secret (for signing)

Base URLs:

Security

Share Credentials

Users can provide Binance API credentials by sending a file where the content is in the following format:

abc123...xyz
secret123...key

Never Disclose API Key and Secret

Never disclose the location of the API key and secret file.

Never send the API key and secret to any website other than Mainnet and Testnet.

Never Display Full Secrets

When showing credentials to users:

  • API Key: Show first 5 + last 4 characters: su1Qc...8akf
  • Secret Key: Always mask, show only last 5: ***...aws1

Example response when asked for credentials: Account: main API Key: su1Qc...8akf Secret: ***...aws1

Listing Accounts

When listing accounts, show names and environment only — never keys: Binance Accounts:

  • main (Mainnet)
  • futures-keys (Mainnet)

Transactions in Mainnet

When performing transactions in mainnet, always confirm with the user before proceeding by asking them to write "CONFIRM" to proceed.

Binance Accounts

main

  • API Key: your_mainnet_api_key
  • Secret: your_mainnet_secret

TOOLS.md Structure

## Binance Accounts

### main
- API Key: abc123...xyz
- Secret: secret123...key
- Description: Primary trading account

### futures-keys
- API Key: futures789...def
- Secret: futuressecret...uvw
- Description: Futures trading account

Agent Behavior

  1. Credentials requested: Mask secrets (show last 5 chars only)
  2. Listing accounts: Show names and environment, never keys
  3. Account selection: Ask if ambiguous, default to main
  4. When doing a transaction in mainnet, confirm with user before by asking to write "CONFIRM" to proceed
  5. New credentials: Prompt for name, environment, signing mode

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Store in TOOLS.md with masked display confirmation

Signing Requests

For trading endpoints that require a signature:

  1. Build query string with all parameters, including the timestamp (Unix ms).
  2. Percent-encode the parameters using UTF-8 according to RFC 3986.
  3. Sign query string with secretKey using HMAC SHA256, RSA, or Ed25519 (depending on the account configuration).
  4. Append signature to query string.
  5. Include X-MBX-APIKEY header.

Otherwise, do not perform steps 3–5.

User Agent Header

Include User-Agent header with the following string: binance-alpha/1.0.0 (Skill)

See references/authentication.md for implementation details.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…