ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BinanceAlert

v1.0.1

Binance smart alert system. Monitors price/change alerts, new listings, Alpha airdrop opportunities, and HODLer announcements via Telegram. No Binance API Ke...

0· 87·0 current·0 all-time
by@cnwpdb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script polls Binance endpoints and sends alerts to Telegram. Requested binaries (python3) and env vars (TG_BOT_TOKEN, TG_CHAT_ID) are appropriate for the stated purpose. The script also interacts with Binance Web3 endpoints and CMS which are consistent with 'Alpha' and listing checks.
!
Instruction Scope
SKILL.md and the script explicitly state the code will read /data/freqtrade/user_data/.secrets.env (or system env) but this file path is not declared in requires.configPaths. Reading a shared secrets file is broader than necessary for a small alert script and could import unrelated secrets; the script also writes state to /data/freqtrade/user_data/binance_alert_state.json which is a shared location.
Install Mechanism
This is an instruction-only skill with no install spec — nothing is downloaded or written by an installer. That minimizes install-time risk.
!
Credentials
Declared env vars are limited and appropriate (TG_BOT_TOKEN, TG_CHAT_ID). However, the script auto-loads /data/freqtrade/user_data/.secrets.env into the process environment if present, which could expose other credentials or secrets stored there (e.g., exchange API keys or service tokens) without explicit user consent or declaration.
Persistence & Privilege
The skill persists state to /data/freqtrade/user_data/binance_alert_state.json and uses that path for initialization; it does not request 'always: true' or modify other skills. Persisting state in a shared application directory is reasonable for cron runs but may cause data overlap or permission concerns if run in an environment hosting other apps.
What to consider before installing
This skill generally matches its description (Binance → Telegram alerts) but it will automatically load /data/freqtrade/user_data/.secrets.env into its environment if present and writes state to /data/freqtrade/user_data/. Before installing: (1) inspect /data/freqtrade/user_data/.secrets.env to ensure it doesn't contain unrelated secrets you don't want the skill to read; (2) consider running the skill in an isolated directory or container with a dedicated .secrets.env that only contains TG_BOT_TOKEN and TG_CHAT_ID; (3) check file permissions on the state file path and consider changing STATE_FILE to a location under the skill's control; (4) review the full scripts/binance_alert.py for the truncated remainder (network endpoints, any unexpected remote endpoints, or code that might exfiltrate data). If you cannot confirm the contents of the shared .secrets.env or don't want this skill to access other secrets, do not install or run it in a shared environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rf4163sf8nk8p59fhhmrvx837870

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvTG_BOT_TOKEN, TG_CHAT_ID

Comments