ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Convert

Binance Convert request using the Binance API. Authentication requires API key and secret key.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 48 · 0 current installs · 0 all-time installs
by@binance-skills-hub
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and SKILL.md clearly require Binance API credentials (apiKey and secretKey) to call authenticated endpoints, but the registry metadata lists no required environment variables or primary credential. That mismatch (declaring no creds while instructions expect secrets) is an incoherence — a legitimate Binance integration should declare it needs credentials.
!
Instruction Scope
SKILL.md instructs the agent to request and store user API keys/secrets in a TOOLS.md file and to accept credential files uploaded by users. It also provides signing and curl examples that use plaintext secrets and private key signing. Asking the agent to collect, store, and display masked secrets (and to write them into repository/workspace files) goes beyond a simple stateless API helper and increases the risk of accidental secret exposure.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes supply-chain risk because nothing is downloaded or installed by the skill itself.
!
Credentials
Although the skill needs API and secret keys to function, the metadata does not declare any required credentials or secure storage mechanism. The SKILL.md also suggests using private key signing (RSA/Ed25519) in addition to HMAC, potentially requiring additional sensitive keys, but these are neither declared nor scoped. Recommending storing secrets in a plain TOOLS.md file is disproportionate to the stated helper purpose and risky.
!
Persistence & Privilege
The skill instructs agents to persist credentials by adding entries to TOOLS.md and to remember account names and environments. Even though always:false and there's no installer, the instruction to store secrets in workspace files creates persistent secrets on disk. The skill does not describe secure storage or encryption, which is a privilege risk (persistent plaintext secrets).
What to consider before installing
Consider the following before installing or using this skill: - Do not upload or paste real Binance API keys/secrets unless you trust the skill author and platform. The registry metadata fails to declare required credentials even though SKILL.md expects them. - Prefer platform-managed secret storage (agent/host secret store or environment variables) rather than plain files in the workspace. Storing secrets in TOOLS.md or other repo files risks accidental leakage. - Verify provenance: the skill's author is listed as 'Binance' in SKILL.md but the registry source/homepage are unknown. Confirm the skill is officially published by Binance or a trusted maintainer before providing keys. - If you must use mainnet keys, create an API key with minimal permissions (no withdrawals), enable IP whitelisting, and test with a restricted test/mainnet key with small balances. Ensure the agent asks for an explicit "CONFIRM" before doing any mainnet transaction as described. - Ask the maintainer to fix the metadata (declare required credentials/primaryEnv), to document secure storage practices, and to avoid instructing agents to write plaintext secrets to repository files. If the maintainer cannot provide these changes, treat the skill as high-risk and avoid storing real secrets with it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9794pdpctpx4vw13n1gdm81gh8377en

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Binance Convert Skill

Convert request on Binance using authenticated API endpoints. Requires API key and secret key for certain endpoints. Return the result in JSON format.

Quick Reference

EndpointDescriptionRequiredOptionalAuthentication
/sapi/v1/convert/exchangeInfo (GET)List All Convert PairsNonefromAsset, toAssetNo
/sapi/v1/convert/assetInfo (GET)Query order quantity precision per asset(USER_DATA)NonerecvWindowYes
/sapi/v1/convert/acceptQuote (POST)Accept Quote (TRADE)quoteIdrecvWindowYes
/sapi/v1/convert/limit/cancelOrder (POST)Cancel limit order (USER_DATA)orderIdrecvWindowYes
/sapi/v1/convert/tradeFlow (GET)Get Convert Trade History(USER_DATA)startTime, endTimelimit, recvWindowYes
/sapi/v1/convert/orderStatus (GET)Order status(USER_DATA)NoneorderId, quoteIdYes
/sapi/v1/convert/limit/placeOrder (POST)Place limit order (USER_DATA)baseAsset, quoteAsset, limitPrice, side, expiredTypebaseAmount, quoteAmount, walletType, recvWindowYes
/sapi/v1/convert/limit/queryOpenOrders (GET)Query limit open orders (USER_DATA)NonerecvWindowYes
/sapi/v1/convert/getQuote (POST)Send Quote Request(USER_DATA)fromAsset, toAssetfromAmount, toAmount, walletType, validTime, recvWindowYes

Parameters

Common Parameters

  • fromAsset: User spends coin
  • toAsset: User receives coin
  • recvWindow: The value cannot be greater than 60000 (e.g., 5000)
  • quoteId: (e.g., 1)
  • orderId: The orderId from placeOrder api (e.g., 1)
  • startTime: (e.g., 1623319461670)
  • endTime: (e.g., 1641782889000)
  • limit: Default 100, Max 1000 (e.g., 100)
  • orderId: Either orderId or quoteId is required (e.g., 1)
  • quoteId: Either orderId or quoteId is required (e.g., 1)
  • baseAsset: base asset (use the response fromIsBase from GET /sapi/v1/convert/exchangeInfo api to check which one is baseAsset )
  • quoteAsset: quote asset
  • limitPrice: Symbol limit price (from baseAsset to quoteAsset) (e.g., 1.0)
  • baseAmount: Base asset amount. (One of baseAmount or quoteAmount is required) (e.g., 1.0)
  • quoteAmount: Quote asset amount. (One of baseAmount or quoteAmount is required) (e.g., 1.0)
  • side: BUY or SELL (e.g., BUY)
  • walletType: It is to choose which wallet of assets. The wallet selection is SPOT, FUNDING and EARN. Combination of wallet is supported i.e. SPOT_FUNDING, FUNDING_EARN, SPOT_FUNDING_EARN or SPOT_EARN Default is SPOT.
  • expiredType: 1_D, 3_D, 7_D, 30_D (D means day)
  • fromAsset:
  • toAsset:
  • fromAmount: When specified, it is the amount you will be debited after the conversion (e.g., 1.0)
  • toAmount: When specified, it is the amount you will be credited after the conversion (e.g., 1.0)
  • validTime: 10s, 30s, 1m, default 10s (e.g., 10s)

Authentication

For endpoints that require authentication, you will need to provide Binance API credentials. Required credentials:

  • apiKey: Your Binance API key (for header)
  • secretKey: Your Binance API secret (for signing)

Base URLs:

Security

Share Credentials

Users can provide Binance API credentials by sending a file where the content is in the following format:

abc123...xyz
secret123...key

Never Disclose API Key and Secret

Never disclose the location of the API key and secret file.

Never send the API key and secret to any website other than Mainnet and Testnet.

Never Display Full Secrets

When showing credentials to users:

  • API Key: Show first 5 + last 4 characters: su1Qc...8akf
  • Secret Key: Always mask, show only last 5: ***...aws1

Example response when asked for credentials: Account: main API Key: su1Qc...8akf Secret: ***...aws1

Listing Accounts

When listing accounts, show names and environment only — never keys: Binance Accounts:

  • main (Mainnet)
  • futures-keys (Mainnet)

Transactions in Mainnet

When performing transactions in mainnet, always confirm with the user before proceeding by asking them to write "CONFIRM" to proceed.

Binance Accounts

main

  • API Key: your_mainnet_api_key
  • Secret: your_mainnet_secret

TOOLS.md Structure

## Binance Accounts

### main
- API Key: abc123...xyz
- Secret: secret123...key
- Description: Primary trading account

### futures-keys
- API Key: futures789...def
- Secret: futuressecret...uvw
- Description: Futures trading account

Agent Behavior

  1. Credentials requested: Mask secrets (show last 5 chars only)
  2. Listing accounts: Show names and environment, never keys
  3. Account selection: Ask if ambiguous, default to main
  4. When doing a transaction in mainnet, confirm with user before by asking to write "CONFIRM" to proceed
  5. New credentials: Prompt for name, environment, signing mode

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Store in TOOLS.md with masked display confirmation

Signing Requests

For trading endpoints that require a signature:

  1. Build query string with all parameters, including the timestamp (Unix ms).
  2. Percent-encode the parameters using UTF-8 according to RFC 3986.
  3. Sign query string with secretKey using HMAC SHA256, RSA, or Ed25519 (depending on the account configuration).
  4. Append signature to query string.
  5. Include X-MBX-APIKEY header.

Otherwise, do not perform steps 3–5.

User Agent Header

Include User-Agent header with the following string: binance-convert/1.0.0 (Skill)

See references/authentication.md for implementation details.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…