ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Crypto Market Rank

v1.0.0

Crypto market rankings and leaderboards. Query trending tokens, top searched tokens, Binance Alpha tokens, tokenized stocks, social hype sentiment ranks, sma...

0· 110·1 current·1 all-time
by@binance-skills-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe crypto ranking and leaderboard functions and the SKILL.md directly documents Binance web3 public APIs that implement that purpose — so required capabilities align. However the registry metadata lists no homepage or verified source while the skill claims author 'binance-web3-team', which is an unverifiable claim and a mild mismatch in provenance.
Instruction Scope
Instructions are narrowly scoped to calling public web3.binance.com endpoints and parsing their responses. The SKILL.md does not instruct the agent to read local files, environment variables, or to send data to third-party endpoints beyond Binance assets. Note: some endpoints return trader addresses and PnL leaderboards (public blockchain addresses and performance metrics), which may have privacy implications if you plan to aggregate or republish them.
Install Mechanism
This is an instruction-only skill with no install spec and no files to execute, so it does not write code to disk or install third-party packages.
Credentials
The skill requests no environment variables or credentials and the instructions do not reference secrets; this is proportionate to its stated public-API use.
Persistence & Privilege
The skill is not marked always:true, does not request persistent modifications, and contains no install-time or privileged actions. Autonomous invocation is allowed by default but is not, by itself, a red flag here.
What to consider before installing
This skill appears to do what it says (querying public Binance web3 ranking APIs) and does not request credentials, but the package has no homepage or verified publisher. Before installing: (1) verify the publisher or request a source/repo or homepage that proves it is an official Binance integration; (2) test calls with non-sensitive queries (do not provide API keys); (3) be aware that responses can include public trader addresses and PnL data which you should treat as potentially sensitive if you plan to store or publish them; (4) if you cannot verify the author's identity, prefer not to enable autonomous invocation or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1w6rzg3b6tz2j24bn13h5d8365r7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments