ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Meme Rush

v1.0.0

Real-time meme token lists from Pump.fun, Four.meme and other launchpads. Use when asked about new meme tokens, trending tokens, pump.fun tokens, bonding cur...

0· 63·0 current·0 all-time
by@dexploarer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts call Binance web3 endpoints to retrieve token lists and topics, which aligns with the skill description. However the SKILL.md author/metadata claims 'binance-web3-team' while source/homepage are unknown — this may be impersonation and should be verified with an authoritative source before trusting the skill.
Instruction Scope
The runtime instructions explicitly require the agent to 'MUST immediately run the script — do NOT just display this documentation' and instruct immediate network calls. The scripts themselves only make HTTP requests to web3.binance.com and do JSON parsing and limiting; they do not read local files or environment variables. The forced immediate execution is operationally aggressive and could cause unexpected outbound network traffic if installed on an agent that can run autonomously.
Install Mechanism
No install spec; skill is instruction-only with two included shell scripts. Nothing is downloaded from external untrusted URLs or written to disk beyond the provided files. This is a low-risk install mechanism.
Credentials
The skill requests no environment variables or credentials and the scripts do not access secrets or config paths. Network access to the listed endpoints is the only capability required, which is proportional to the stated purpose.
Persistence & Privilege
always is false and there is no indication the skill requests elevated or persistent privileges or changes other skills' configs. Autonomous invocation is allowed by default but not combined here with broad credential access.
What to consider before installing
Before installing: 1) Verify provenance — the skill claims to be from a 'binance-web3-team' but has no homepage or verified source; contact Binance or check an authoritative registry if you require trust. 2) Treat the included scripts as making live network calls to web3.binance.com; if you need to audit behavior, run the scripts manually in a sandbox to inspect responses and rate limits. 3) Consider whether you want an agent that will automatically run networked scripts when asked; if not, disable autonomous invocation or require explicit user confirmation before each fetch. 4) Be aware this skill facilitates trading/sniping decisions — that carries financial and regulatory risk; do not feed sensitive keys or credentials (none are requested) and avoid automating trades without safeguards. 5) If you cannot verify the author or endpoint legitimacy, do not install or run the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788b6n4zae6pkmkmb0at13tn841gak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments