ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Derivatives Trading Portfolio Margin Pro

Binance Derivatives-trading-portfolio-margin-pro request using the Binance API. Authentication requires API key and secret key.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 47 · 0 current installs · 0 all-time installs
by@binance-skills-hub
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires a Binance API key and secret to sign authenticated requests, but the registry metadata lists no required environment variables or primary credential. The skill claims author 'Binance' and includes a Binance copyright in LICENSE, yet the registry owner ID is an unrelated account and there is no homepage or verifiable publisher information — this could be impersonation or sloppy packaging.
!
Instruction Scope
The runtime instructions are focused on Binance API calls and signing, which is within scope. However the authentication docs include extraneous and misleading signing methods (RSA and Ed25519) that do not match Binance's HMAC-SHA256 requirement, and the skill instructs users to supply secrets via uploaded files (plaintext format example). The guidance about masking and never disclosing secrets is good, but the combination of asking for uploaded secret files and not declaring credentials in metadata is problematic.
Install Mechanism
Instruction-only skill with no install spec and no code files to run — no packages or downloads are performed at install time, which minimizes supply-chain risk.
!
Credentials
Functionally the skill needs two secrets (apiKey and secretKey) to operate, but these are not declared in the registry's required env or primary credential fields. Not declaring them means platform-level credential protections and visibility may be bypassed. The requested secrets are proportional to the task, but the delivery method (ask user to upload a file with raw keys) and missing metadata reduce transparency and safety.
Persistence & Privilege
The skill is not always-enabled and does not request special persistent privileges. Model invocation is allowed (platform default) — because this skill can execute trades when given credentials, autonomous invocation increases risk; this is expected behavior but you should be aware.
What to consider before installing
What to consider before installing: - Do not provide real Binance API keys unless you trust the publisher; this package has no verified homepage and the registry metadata does not declare the credentials it needs. Ask the publisher to explicitly declare required credentials (apiKey, secretKey) in the metadata. - Prefer giving credentials via the platform's secure credential store rather than uploading plaintext files. If you must upload keys, create keys with minimal permissions (no withdrawals) and enable IP whitelist. - The auth docs include RSA/Ed25519 signing examples which are incorrect for Binance HMAC-SHA256 — ask the author to remove confusing/misleading instructions. - Because the skill can make real trades, confirm that it will always ask for explicit user confirmation for mainnet transactions before proceeding, and test first on testnet or with a read-only API key. - If you install and later suspect misuse, immediately revoke the API key and create a new one. If you need higher assurance, request proof of official Binance ownership (verified publisher info or an official source link) or use an official Binance client library instead.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97da2p9kr2kbh46aj680jfs3h839x5t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Binance Derivatives-trading-portfolio-margin-pro Skill

Derivatives-trading-portfolio-margin-pro request on Binance using authenticated API endpoints. Requires API key and secret key for certain endpoints. Return the result in JSON format.

Quick Reference

EndpointDescriptionRequiredOptionalAuthentication
/sapi/v1/portfolio/bnb-transfer (POST)BNB transfer(USER_DATA)amount, transferSiderecvWindowYes
/sapi/v1/portfolio/repay-futures-switch (POST)Change Auto-repay-futures Status(TRADE)autoRepayrecvWindowYes
/sapi/v1/portfolio/repay-futures-switch (GET)Get Auto-repay-futures Status(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/repay (POST)Portfolio Margin Pro Bankruptcy Loan RepayNonefrom, recvWindowYes
/sapi/v1/portfolio/auto-collection (POST)Fund Auto-collection(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/asset-collection (POST)Fund Collection by Asset(USER_DATA)assetrecvWindowYes
/sapi/v2/portfolio/account (GET)Get Portfolio Margin Pro SPAN Account Info(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/account (GET)Get Portfolio Margin Pro Account Info(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/balance (GET)Get Portfolio Margin Pro Account Balance(USER_DATA)Noneasset, recvWindowYes
/sapi/v1/portfolio/delta-mode (GET)Get Delta Mode Status(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/delta-mode (POST)Switch Delta Mode(TRADE)deltaEnabledrecvWindowYes
/sapi/v1/portfolio/earn-asset-balance (GET)Get Transferable Earn Asset Balance for Portfolio Margin (USER_DATA)asset, transferTyperecvWindowYes
/sapi/v1/portfolio/pmLoan (GET)Query Portfolio Margin Pro Bankruptcy Loan Amount(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/interest-history (GET)Query Portfolio Margin Pro Negative Balance Interest History(USER_DATA)Noneasset, startTime, endTime, size, recvWindowYes
/sapi/v1/portfolio/pmloan-history (GET)Query Portfolio Margin Pro Bankruptcy Loan Repay History(USER_DATA)NonestartTime, endTime, current, size, recvWindowYes
/sapi/v1/portfolio/repay-futures-negative-balance (POST)Repay futures Negative Balance(USER_DATA)Nonefrom, recvWindowYes
/sapi/v1/portfolio/earn-asset-transfer (POST)Transfer LDUSDT/RWUSD for Portfolio Margin(TRADE)asset, transferType, amountrecvWindowYes
/sapi/v1/portfolio/collateralRate (GET)Portfolio Margin Collateral Rate(MARKET_DATA)NoneNoneNo
/sapi/v1/portfolio/margin-asset-leverage (GET)Get Portfolio Margin Asset Leverage(USER_DATA)NoneNoneYes
/sapi/v2/portfolio/collateralRate (GET)Portfolio Margin Pro Tiered Collateral Rate(USER_DATA)NonerecvWindowYes
/sapi/v1/portfolio/asset-index-price (GET)Query Portfolio Margin Asset Index Price (MARKET_DATA)NoneassetNo

Parameters

Common Parameters

  • amount: (e.g., 1.0)
  • transferSide: "TO_UM","FROM_UM"
  • recvWindow: (e.g., 5000)
  • autoRepay: Default: true; false for turn off the auto-repay futures negative balance function (e.g., true)
  • from: SPOT or MARGIN,default SPOT (e.g., SPOT)
  • asset: LDUSDT and RWUSD
  • asset:
  • transferType: EARN_TO_FUTURE /FUTURE_TO_EARN
  • startTime: (e.g., 1623319461670)
  • endTime: (e.g., 1641782889000)
  • size: Default:10 Max:100 (e.g., 10)
  • current: Currently querying page. Start from 1. Default:1 (e.g., 1)
  • deltaEnabled: true to enable Delta mode; false to disable Delta mode

Authentication

For endpoints that require authentication, you will need to provide Binance API credentials. Required credentials:

  • apiKey: Your Binance API key (for header)
  • secretKey: Your Binance API secret (for signing)

Base URLs:

Security

Share Credentials

Users can provide Binance API credentials by sending a file where the content is in the following format:

abc123...xyz
secret123...key

Never Disclose API Key and Secret

Never disclose the location of the API key and secret file.

Never send the API key and secret to any website other than Mainnet and Testnet.

Never Display Full Secrets

When showing credentials to users:

  • API Key: Show first 5 + last 4 characters: su1Qc...8akf
  • Secret Key: Always mask, show only last 5: ***...aws1

Example response when asked for credentials: Account: main API Key: su1Qc...8akf Secret: ***...aws1

Listing Accounts

When listing accounts, show names and environment only — never keys: Binance Accounts:

  • main (Mainnet)
  • futures-keys (Mainnet)

Transactions in Mainnet

When performing transactions in mainnet, always confirm with the user before proceeding by asking them to write "CONFIRM" to proceed.

Binance Accounts

main

  • API Key: your_mainnet_api_key
  • Secret: your_mainnet_secret

TOOLS.md Structure

## Binance Accounts

### main
- API Key: abc123...xyz
- Secret: secret123...key
- Description: Primary trading account


### futures-keys
- API Key: futures789...def
- Secret: futuressecret...uvw
- Description: Futures trading account

Agent Behavior

  1. Credentials requested: Mask secrets (show last 5 chars only)
  2. Listing accounts: Show names and environment, never keys
  3. Account selection: Ask if ambiguous, default to main
  4. When doing a transaction in mainnet, confirm with user before by asking to write "CONFIRM" to proceed
  5. New credentials: Prompt for name, environment, signing mode

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Store in TOOLS.md with masked display confirmation

Signing Requests

For trading endpoints that require a signature:

  1. Build query string with all parameters, including the timestamp (Unix ms).
  2. Percent-encode the parameters using UTF-8 according to RFC 3986.
  3. Sign query string with secretKey using HMAC SHA256, RSA, or Ed25519 (depending on the account configuration).
  4. Append signature to query string.
  5. Include X-MBX-APIKEY header.

Otherwise, do not perform steps 3–5.

User Agent Header

Include User-Agent header with the following string: binance-derivatives-trading-portfolio-margin-pro/1.0.0 (Skill)

See references/authentication.md for implementation details.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…