AI News BNB Trader
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real trading bot, but it can use a wallet private key to automatically sign live blockchain swaps from external signals, so it needs careful review before use.
Only run this with a dedicated, low-balance wallet and keep DRY_RUN=true until you have verified the news source, token addresses, DEX API behavior, and risk settings. Do not provide a main wallet private key, and treat live mode as capable of real financial loss.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing this credential gives the bot the ability to sign transactions from the configured wallet and potentially spend funds when DRY_RUN is disabled.
The code requires wallet private key material or a passphrase to decrypt it, despite the registry metadata listing no primary credential or required environment variables.
evmPrivateKey: s('EVM_PRIVATE_KEY'), encryptedKeyPath: s('ENCRYPTED_KEY_PATH', './secrets/key.json'), keyPassphrase: s('KEY_PASSPHRASE') ... throw new Error('Missing key material. Set EVM_PRIVATE_KEY or KEY_PASSPHRASE + ENCRYPTED_KEY_PATH')Use only a dedicated low-balance trading wallet, keep DRY_RUN enabled until fully tested, and require the skill metadata to clearly declare wallet-key and API-key requirements.
A compromised, misconfigured, or unexpected DEX API response could cause the wallet to sign an unintended transaction.
In live mode, the bot signs and sends transaction fields returned by the external swap API without validating the destination, calldata, token spender, or transaction value.
const j = await r.json(); const tx = await this.wallet.sendTransaction({ to: j.tx.to, data: j.tx.data, value: BigInt(j.tx.value ?? '0'), gasLimit: BigInt(j.tx.gas ?? '500000') });Validate router/spender addresses, token addresses, chain ID, value, and calldata before signing; consider requiring explicit user approval for each live trade.
Bad or manipulated news input could influence the bot into making trades, especially if the optional OpenAI model is enabled.
Retrieved news content directly drives the signal model and trading decision pipeline, which is expected for this skill but makes news-source integrity important.
const items = await fetchNews(config.newsApiUrl, config.newsTimeoutMs); ... const s = await model.analyze(news).catch(() => fallback.analyze(news)); const d = decide(s, config.buyThreshold, config.sellThreshold, config.minConf); ... const res = await dex.swap(from, to, amountIn, config.maxSlippageBps);
Use trusted news feeds, keep dry-run testing on, monitor decisions, and add validation or manual approval before live trading.
If left running in live mode, the bot may continue making trades over time within its configured risk limits.
The start command is designed as a long-running autonomous loop. This is disclosed and purpose-aligned, but users should understand it continues operating until stopped.
while (true) { ... await new Promise((r) => setTimeout(r, config.newsPollSeconds * 1000)); }Run it under supervision, use the panic command or process controls to stop it, and set conservative trade, loss, and cooldown limits.