Trading Research
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 6 The skill bundle is benign. All Python scripts (`scripts/*.py`) exclusively interact with legitimate Binance public API endpoints (`https://data-api.binance.vision`, `https://fapi.binance.com`) to fetch market data and perform local calculations. There is no evidence of data exfiltration, malicious execution, persistence, or obfuscation. The `SKILL.md` instructions guide the AI agent to use these tools for their stated purpose of market research and analysis, explicitly noting 'No trading execution' and 'no authentication needed for data', and contain no prompt injection attempts to induce harmful or unauthorized behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill for market data can send requested symbols and market-data queries to Binance public API endpoints.
The script fetches data from Binance over the network. This is disclosed and central to the market-data purpose, but users should know the skill contacts Binance APIs.
BASE_URL = "https://data-api.binance.vision" ... request.urlopen(url, timeout=10)
Use it for market research as intended and review any generated commands before running them, especially if adapting them beyond public market-data queries.
If a user supplies Binance API keys or follows these examples for live trading, the agent could help access account data or place/cancel orders.
The reference documentation includes authenticated Binance account and trading endpoints, even though the metadata declares no required credentials and the provided scripts do not show credential use.
Signed endpoints require... API Key... Place New Order POST /api/v3/order ... Cancel All Open Orders
Do not provide live Binance API keys unless you intentionally want that workflow; prefer testnet or read-only/scoped keys, disable withdrawals, and require explicit confirmation before any live order.
Users have less external information to verify who maintains the skill or where the code originated.
The skill has limited provenance information. No install-time commands or third-party package installs are shown, so this is a provenance notice rather than a material concern.
Source: unknown; Homepage: none
Review the included scripts before installation and prefer updates from a trusted publisher or repository when available.