ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Onchain Pay

v1.0.0

Binance Onchain Pay: buy crypto with fiat (EUR, USD) or send crypto to any on-chain wallet. Use when users want to buy crypto with fiat or make on-chain paym...

0· 58·1 current·1 all-time
by@dexploarer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to implement 'Binance Onchain Pay' which legitimately requires API credentials and a signing key, but the registry metadata lists no required env vars, credentials, or config paths. Additionally, example requests and header names in the docs (e.g., X-Tesla-*, api.commonservice.io) do not match official Binance endpoints/branding, which is an unexplained inconsistency.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read .local.md defaults, use an absolute PEM_PATH to a private key, build payloads, sign with RSA SHA256, and run a local script at <skill_path>/scripts/sign_and_call.sh. The skill bundle contains no scripts and no .local.md; the instructions therefore reference files and code that are not present. The instructions also require use of openssl/curl/bash but the metadata does not declare required binaries.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. However, the instructions expect a local script (<skill_path>/scripts/...) that is not included in the bundle — the absence is an operational/integrity issue (not an installer risk).
!
Credentials
The runtime docs require BASE_URL, CLIENT_ID, API_KEY, and a PEM private key path — all sensitive. The registry declares none of these as required, creating a mismatch. Requesting a private key file and API key is plausible for this purpose, but the skill fails to declare them and offers no guidance on safe key handling (e.g., using ephemeral keys or hardware signing).
Persistence & Privilege
The skill does not request always:true and has no install step that persists on disk, so it does not request elevated persistent presence. Note: the platform default allows autonomous invocation; combined with the credential/file-access issues above, autonomous calls could increase risk if credentials were provided.
What to consider before installing
Do not install or provide secrets yet. Before using this skill, ask the publisher for: (1) a source repository or homepage and a verifiable publisher identity; (2) the missing files the SKILL.md references (scripts/, .local.md) or a corrected SKILL.md that matches the bundle; (3) confirmation of the exact API BASE_URL (ensure it's an official Binance domain) and explanation of headers like X-Tesla-*, which look unrelated to Binance; (4) a minimal, documented set of environment variables and least-privilege guidance for the PEM/private key (prefer hardware-backed or ephemeral signing keys). If you must test, do so in an isolated environment and never provide your primary private keys or production API keys until you can verify the code and endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9bw1da800wb2fb72z54zbh840vvf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments