Binance Pro Cn

Security checks across malware telemetry and agentic risk

Overview

This Binance skill matches its trading purpose, but it can guide an agent to place real trades and change leverage without enough built-in guardrails.

Review carefully before installing. Use only a dedicated Binance API key with withdrawals disabled, minimal trading permissions, and IP restrictions where possible. Prefer testnet or tiny amounts first, and require explicit confirmation for every order, cancellation, and leverage change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger phrases include generic terms like '交易' and 'trading', which are broad enough to activate in many unrelated conversations. In a skill capable of placing live exchange orders, over-broad activation materially increases the chance of accidental invocation and unintended financial actions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill presents leveraged futures, spot orders, and account operations up front without an immediate warning that trades can cause irreversible losses and execute on real funds. For a financial skill with market-order and leverage examples, omission of prominent risk disclosure makes accidental or uninformed use substantially more dangerous.

External Transmission

Medium

Category: Data Exfiltration
Content: QUERY="symbol=${SYMBOL}&side=BUY&type=MARKET&quantity=${QUANTITY}&timestamp=${TIMESTAMP}" SIGNATURE=$(echo -n "$QUERY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2) curl -s -X POST "https://api.binance.com/api/v3/order?${QUERY}&signature=${SIGNATURE}" \ -H "X-MBX-APIKEY: ${API_KEY}" | jq '.' ```
Confidence: 93% confidence
Finding: https://api.binance.com/

External Transmission

Medium

Category: Data Exfiltration
Content: QUERY="symbol=${SYMBOL}&side=SELL&type=MARKET&quantity=${QUANTITY}&timestamp=${TIMESTAMP}" SIGNATURE=$(echo -n "$QUERY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2) curl -s -X POST "https://api.binance.com/api/v3/order?${QUERY}&signature=${SIGNATURE}" \ -H "X-MBX-APIKEY: ${API_KEY}" | jq '.' ```
Confidence: 93% confidence
Finding: https://api.binance.com/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal