ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Derivatives Trading Portfolio Margin

v1.0.0

Binance Derivatives-trading-portfolio-margin request using the Binance API. Authentication requires API key and secret key. Supports testnet and mainnet.

0· 75·1 current·1 all-time
by@binance-skills-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes authenticated Binance Derivatives portfolio-margin endpoints and shows HMAC/RSA/Ed25519 signing that require an API key, secret key, or private key. However, the registry metadata lists no required environment variables or primary credential. A Binance trading skill legitimately needs API credentials; the omission in metadata is incoherent and could lead to secrets being handled in unexpected ways by the agent or by an integrator.
Instruction Scope
The instruction document stays focused on constructing signed HTTP requests to official Binance endpoints and includes curl and openssl examples. Concerns: the examples demonstrate putting secrets on the command line (curl -H or echo | openssl), which can leak via process lists or shell history; RSA/Ed25519 private-key examples reference private_key.pem without guidance on secure storage; instructions do not say how the agent will obtain or store credentials. No instructions indicate exfiltration to non-Binance endpoints, and base URLs are official testnet/mainnet hosts.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk — low install risk.
!
Credentials
The skill requires sensitive secrets (API key and secret/private key) to function, but the package metadata declares no required env vars or primary credential and no config path requirements. This mismatch is disproportionate and ambiguous (the skill also shows alternate signing methods). The lack of declared credentials makes it unclear how the agent will prompt for or protect secrets.
Persistence & Privilege
always:false and no install scripts — the skill does not request permanent inclusion or elevated platform privileges. It does not appear to modify other skills or system-wide configs.
What to consider before installing
This skill appears to be a legitimate Binance API integration (endpoints and signing match Binance patterns), but the package metadata fails to declare the API credentials it needs and the source/homepage is not provided. Before installing: (1) Verify the author/source (request a repository or homepage); (2) Do not paste real API secrets into chat—use the platform's secure secret storage; (3) Prefer using testnet credentials first and restrict API key permissions (disable withdrawals) and enable IP whitelist; (4) Ask the maintainer to declare required env vars (API_KEY, SECRET_KEY or path to private key) and to avoid examples that place secrets on the command line; (5) If you must try it, supply least-privilege keys and monitor account activity. If the publisher cannot explain why credentials are not declared in metadata, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cccfw7aemd69cpnjdxk9bph839s0m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments