Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Binance Derivatives Trading USDS Futures
v1.0.0Binance Derivatives-trading-usds-futures request using the Binance API. Authentication requires API key and secret key. Supports testnet and mainnet.
⭐ 0· 160·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and authentication reference repeatedly describe authenticated Binance futures endpoints and show examples requiring an API key and secret (HMAC-SHA256 signatures, X-MBX-APIKEY header). However the skill metadata/registry lists no required environment variables and no primary credential. A derivatives trading skill legitimately needs API key and secret; the omission in metadata is inconsistent and suspicious.
Instruction Scope
The runtime instructions are narrowly focused on calling Binance futures endpoints, building percent‑encoded query strings, and generating signatures (examples use openssl and curl). They do not direct reading unrelated files or exfiltrating data to third‑party endpoints. However the SKILL.md includes runnable bash examples that use a SECRET_KEY variable and demonstrate posting the secret in a curl request (expected for Binance, but sensitive). The instructions do not specify where the agent should obtain/store credentials (env, secure vault, or prompt), which increases risk.
Install Mechanism
Instruction-only skill with no install spec and no code files beyond documentation; nothing is written to disk and no remote downloads are performed. This lowers install-time risk.
Credentials
The skill requires sensitive credentials (API key and secret) to perform authenticated trading, but the registry shows zero required env vars and no primary credential. That mismatch prevents the platform from applying appropriate protections (e.g., marking a primary credential, restricting storage, or prompting for secure secret input). Also the SKILL.md encourages use of secret keys in shell commands (which can end up in shell history) — the skill should explicitly recommend secure storage/access patterns.
Persistence & Privilege
The skill is not always-included and uses default autonomous-invocation settings. There is no request for persistent system-wide configuration or modification of other skills. Note: autonomous invocation plus trading capability is powerful, but there is no evidence here that the skill requests excessive privilege beyond trading access.
What to consider before installing
Do not install or run this skill until the credential handling is clarified. Specifically: (1) Ask the publisher to declare required credentials (API_KEY and SECRET_KEY) and set the primary credential in the registry so the platform can treat secrets correctly. (2) Prefer providing credentials via a secure platform vault or environment variables rather than pasting secrets into chat or entering them inline; never paste your secret key into a conversation. (3) When you create API keys for this skill, restrict permissions (enable only futures trading, disable withdrawals) and enable IP whitelisting. (4) Use Binance testnet credentials first to validate behavior. (5) Verify the skill's provenance — the source is unknown; prefer skills from verified/known publishers. (6) If you proceed, monitor API key activity and be prepared to revoke keys immediately if unexpected trades or outbound requests appear. If the publisher cannot or will not update metadata to declare credentials and secure handling, treat the skill as risky and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk97aze3mdsacsty85a9j9hhd4s8370cp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.