Binance Skills

Security checks across malware telemetry and agentic risk

Overview

This Binance skill is not malware, but it gives an agent broad live-account trading, wallet, and raw signed API powers that deserve manual review.

Install only if you are comfortable letting an agent operate Binance through authenticated credentials. Use testnet or demo first, create least-privilege API keys, disable withdrawal permission unless absolutely required, review every order or transfer parameter manually, and treat signed raw requests, withdrawals, leverage changes, redemptions, subscriptions, and Travel Rule PII submissions as high-risk actions requiring explicit confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented `binance-cli request (GET|POST|PUT...) <url> [--signed]` capability exposes a generic arbitrary API invocation path that goes well beyond curated product-specific commands. In an authenticated trading and wallet context, this can enable access to sensitive account endpoints or execution of high-impact financial actions through undocumented routes, reducing guardrails and making misuse or prompt-driven abuse more dangerous.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This documentation exposes authenticated endpoints that can place and cancel live algo orders, but it provides no warning that these actions affect real accounts and may execute trades or cancel protections. In an agent skill context, missing safety guidance increases the chance that a user or downstream agent invokes destructive financial actions without explicit confirmation or understanding of the consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This documentation exposes numerous authenticated endpoints that can place, modify, and cancel orders, transfer funds, borrow on margin, and change leverage or position modes, yet it provides no warning that these actions can have immediate financial consequences or trigger irreversible losses. In an agent skill context, presenting powerful trading operations as ordinary commands increases the chance of unsafe automation, accidental misuse, or social-engineering-driven invocation against a live account.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This reference file documents authenticated Binance COIN-M futures operations that can directly affect a user's account, including placing and canceling orders, changing leverage and margin type, and modifying position mode, without any warning or safety guidance. In an agent skill context, exposing these powerful account-impacting actions without explicit caution, confirmation requirements, or safer defaults increases the risk of accidental or socially engineered financial loss.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This section exposes authenticated, account-impacting futures trading operations such as placing orders, canceling orders, changing leverage, changing margin mode, and modifying position settings without any adjacent warning that these actions can execute real trades or alter account risk. In an agent skill context, that omission increases the chance of unsafe or unintended use by users or downstream agents, especially because the file mixes read-only and state-changing endpoints in one reference.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This documentation exposes authenticated gift card creation and redemption operations that can directly move or consume account value, but it provides no warning that these are financial, irreversible, or sensitive actions. In an agent-skill context, listing these endpoints without explicit user-confirmation and account-impact guidance increases the risk of accidental or unauthorized execution by an automated workflow or a misled user.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This documentation exposes authenticated BFUSD subscription and redemption actions without any warning that invoking them can move funds or alter the user's financial positions. In an agent skill context, users may treat listed commands as informational or low-risk, so the lack of explicit cautions increases the chance of unintended transactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Simple Earn section lists multiple authenticated actions that redeem products, subscribe funds, and change account settings such as auto-subscribe and redeem options, but provides no safety notice about account-impacting effects. Because this skill operates against a live exchange account, an agent could execute these commands and change financial positions or account behavior without the user appreciating the consequences.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The RWUSD endpoints include authenticated subscribe and redeem operations but omit any warning that these commands can transfer value or alter holdings. In a trading/exchange skill, such omissions are especially risky because users may authorize the skill for convenience and not realize that simple-looking commands perform real financial transactions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This documentation exposes authenticated trade endpoints that can create, amend, or cancel live Binance orders without any explicit warning that these actions affect real funds and account state. In an agent skill context, that omission increases the chance an LLM or user invokes destructive actions unintentionally, especially because nearby read-only and trading operations are presented in the same neutral tabular format.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This documentation enumerates authenticated endpoints that can redeem assets, subscribe funds, wrap tokens, change redeem options, and enable auto-subscribe, but it does not clearly warn that these are account-affecting operations capable of changing user holdings. In an agent skill context, such omission increases the chance that an LLM-driven agent or user invokes state-changing financial actions as if they were informational queries, leading to unintended transactions or asset movement.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This reference file documents high-impact authenticated operations such as enabling futures/options, transferring assets, moving positions, and withdrawing/depositing funds, but provides no warning, confirmation guidance, or safety notes about their financial consequences. In an agent skill context, especially one that may expose these actions through natural-language tooling, this omission increases the risk of accidental or socially engineered destructive actions by users or downstream agents.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation exposes high-risk authenticated actions such as withdrawals and account-setting changes without any warning that they are irreversible, financially sensitive operations. In an agent skill context, this increases the chance that a user or downstream agent invokes destructive wallet actions without explicit confirmation or understanding of the consequences.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The travel-rule section documents endpoints that submit questionnaires and originator/beneficiary PII-related fields without any privacy, data-handling, or consent warning. Because this skill requires authentication and deals with regulated transfer metadata, an agent could collect, transmit, or log sensitive personal information without the user's informed consent or proper safeguards.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal