Security audit

Binance Trading Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a read-only Binance account monitor, but it under-discloses how it uses sensitive exchange credentials and account data.

Install only if you are comfortable letting the assistant read Binance balances and futures positions. Use a read-only Binance API key with withdrawals and trading disabled, consider IP allowlisting and key rotation, protect ~/.openclaw/secrets/binance.json, and assume balance and position details may appear in command output or agent logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The safety section claims API keys are 'never transmitted,' but authenticated Binance API requests necessarily involve transmitting API credentials or signed authentication material to Binance. This is misleading security documentation that can cause users to underestimate exposure and handle credentials less carefully.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads Binance API credentials directly from a local secrets file and uses them without any explicit user-facing disclosure or consent prompt. In an agent/skill context, silent access to financial API credentials is security-relevant because users may not realize the skill is touching sensitive authentication material tied to exchange accounts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script makes authenticated requests to Binance account endpoints to retrieve balances and positions, but gives no warning that account data will be sent to a third-party service. Even though Binance is the intended service, silent authenticated transmission of financial account data is risky in an agent setting because users may not expect network access or understand what private data is being queried.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently reads Binance API credentials from a fixed location in the user's home directory and uses them for account access without any user-facing notice or consent prompt. In an agent/skill context, this creates a security boundary issue: merely invoking a seemingly read-only helper can access sensitive credentials and account data the user may not expect to expose.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code makes an authenticated call to Binance using local API keys without explicitly informing the user that external network access and account-authenticated queries will occur. Even though this call appears read-only, it exposes account metadata to a third party and normalizes hidden authenticated actions inside a skill, which is dangerous in an agent execution environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal