Binance DCA Test
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is a high-impact Binance trading helper that can use API secrets to place recurring real-money crypto buys, but its required script is absent and its credential/trade safeguards are under-specified.
Only use this after verifying the actual dca.sh implementation from a trusted source. Start on Binance testnet, use a trading-only API key with withdrawals disabled, set strict spend limits, require confirmation before real orders, and avoid recurring cron jobs unless you have clear stop conditions and monitoring.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real Binance key with broad permissions is used, the agent or scheduled job could place trades on the user's account and potentially misuse high-value account access.
The skill requires Binance API credentials that can authorize account activity, but the registry declares no env vars or primary credential and the docs do not bound the key permissions, symbols, amounts, or account scope.
Requires two environment variables (never hardcode these): export BINANCE_API_KEY="your-key" export BINANCE_SECRET_KEY="your-secret"
Declare the credentials in metadata, require least-privilege trading-only keys with withdrawals disabled and IP restrictions where possible, and clearly document allowed symbols, amounts, and confirmation requirements.
A mistaken or premature invocation could buy cryptocurrency with real funds at market price.
The skill documents an immediate real market-buy action. For financial account mutation, the artifacts do not show a required preview, explicit confirmation, spending cap, or safe default before execution.
# Execute a $50 market buy bash scripts/dca.sh buy BTCUSDT 50
Default to planning/testnet mode, require an explicit fresh confirmation before every real order, show symbol/amount/estimated price/fees, and enforce user-defined spend limits.
Users may end up running an unreviewed or wrong local script with Binance API secrets and trading authority.
The skill relies on scripts/dca.sh for all operations, but the supplied manifest contains only SKILL.md and no install spec, so the code that would handle Binance credentials and trades is not present for review.
bash scripts/dca.sh price BTCUSDT
Include the referenced script in the reviewed package with pinned dependencies, or replace the instructions with a clearly sourced, verified installation path before asking users to execute it.
A recurring job could continue buying crypto repeatedly after the original conversation or after the user forgets it is enabled.
The skill encourages persistent scheduled execution that can keep placing real buy orders, while not documenting expiration, cancellation, alerting, or per-run confirmation controls.
For automated recurring buys, suggest setting up a cron job or OpenClaw cron: 0 9 * * 1 BINANCE_API_KEY=... BINANCE_SECRET_KEY=... /path/to/dca.sh buy BTCUSDT 50
Require explicit schedule approval, include an end date or max spend, provide clear disable instructions, send alerts before/after each order, and avoid storing secrets inline in cron entries.