Binance Trading Assistant
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly consistent with monitoring a Binance account, but users should notice that it requires sensitive Binance API credentials and has a few disclosure/setup inconsistencies.
Only install this if you are comfortable giving the assistant read-only Binance API access. Create a restricted key with no trading or withdrawal permissions, store it carefully, and understand that the scripts will contact Binance to fetch balances and positions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant can retrieve your Binance balances and futures position details if you provide API keys.
The script reads Binance API credentials from a local secrets file and uses them to authenticate API calls. This is expected for account monitoring, but it grants access to sensitive financial account information.
const credentials = JSON.parse(fs.readFileSync(secretsPath, 'utf8')); ... apiKey: credentials.apiKey, secret: credentials.secret
Create a Binance API key with read-only permissions only, do not enable trading or withdrawals, and remove the key if you stop using the skill.
Running the scripts may depend on third-party package code that can change within the allowed version range.
The skill depends on the ccxt package using a version range rather than an exact pinned version. This dependency is appropriate for Binance exchange access, but it means installs may resolve to newer compatible versions.
"dependencies": { "ccxt": "^4.0.0" }Install from a trusted package registry and consider pinning or auditing the resolved ccxt version in sensitive environments.
A user might assume no networked authentication occurs, even though Binance account monitoring necessarily contacts Binance.
The safety language is stronger than ideal because the scripts authenticate to Binance through ccxt and retrieve account data from Binance. The artifacts do not show third-party exfiltration, but users should understand that Binance API calls are involved.
- Your keys never leave your machine - All data stays local
Treat the skill as a Binance API integration, not a fully offline tool, and use restricted read-only credentials.