Crypto Wave Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
This crypto scanner mostly does what it says and does not use credentials or place trades, but users should notice a few implementation mismatches and exposed runtime dependencies.
This skill appears safe to run as a public-data scanner, but treat its trading outputs as informational only. Verify whether you are using real Binance Futures data or testnet data, stop the local server when finished, and be aware that the dashboard loads a third-party charting script from a CDN.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
CLI results may not reflect the real Binance Futures market unless the user verifies or changes the endpoint.
The CLI scanner uses Binance Futures testnet by default, while SKILL.md says the data source is `https://fapi.binance.com` and says to swap to testnet only for testnet trading. This can affect user trust in the displayed trading signals.
BASE = "https://testnet.binancefuture.com"
Clarify the CLI data source in SKILL.md or change the CLI default to the documented real public Binance Futures endpoint.
If the CDN content or connection were compromised, the dashboard page could run altered JavaScript in the browser.
The dashboard loads a remote JavaScript library from a CDN at runtime. This is expected for a chart dashboard, but it means browser execution depends on the CDN-delivered file.
<script src="https://unpkg.com/lightweight-charts@4.1.3/dist/lightweight-charts.standalone.production.js"></script>
Consider vendoring the library locally or using subresource integrity and clear dependency documentation.
The CLI may fail or behave differently on systems without `curl.exe`, despite the metadata saying no binaries are required.
The CLI depends on an external `curl.exe` binary, but the registry requirements list no required binaries. The call is not shell-injected, but the dependency is under-declared and Windows-specific.
subprocess.run(["curl.exe", "-s", BASE + path], capture_output=True)
Declare the curl dependency and OS expectation, or replace it with Python's standard HTTP libraries.
Other devices on the same network might be able to open the static dashboard while the server is running.
The local dashboard server binds to all network interfaces while the documentation presents it as localhost. It serves only the assets directory, so this is a limited exposure, but the network scope is broader than described.
with socketserver.TCPServer(("", PORT), Handler) as httpd:Bind the server to `127.0.0.1` unless LAN access is explicitly intended and documented.