ClawHub

Binance Signal Engine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only crypto market analysis skill that fetches public price data and prints trading-analysis output without using credentials or placing orders.

Install only if you are comfortable running local Python dependencies and sending requested symbols/timeframes to public exchange APIs. Do not provide exchange API keys to this tool, and treat its buy/sell, futures, leverage, and position-sizing output as informational analysis to review independently before risking money.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises broad natural-language triggers such as "crypto analysis" and "multi-timeframe analysis," which can cause the agent to auto-invoke this skill in contexts the user did not specifically intend. Even though the skill appears read-only and limited to public market-data requests, unintended invocation can still cause unnecessary external network access, misleading tool selection, and expansion of the skill's operational scope beyond explicit user consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented trigger phrases are broad natural-language prompts such as 'crypto analysis', 'check the trend on BTC', and 'is it a good time to buy BTC', which can overlap with ordinary conversation and cause the skill to activate when the user did not explicitly intend it. Over-broad invocation increases the chance of unintended tool use, unnecessary external data access, and context hijacking where unrelated discussions are steered into trading analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal