Binance Pro (Hybrid Labs)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Binance trading skill, but it can place live leveraged trades with broad activation and no enforced confirmation safeguards.

Install only if you intentionally want an agent to access your Binance account and potentially trade with real funds. Use restricted API keys with withdrawals disabled, prefer read-only or testnet credentials unless live trading is required, apply IP restrictions where possible, and require separate human confirmation before any order, cancellation, leverage change, stop-loss, take-profit, or position close.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill accesses credentials from environment variables and local files, then uses them to make authenticated network requests to Binance, but it does not declare corresponding permissions. This creates a transparency and consent problem: an agent may invoke a highly privileged trading skill without clear permission gating, increasing the risk of unauthorized account access and financial actions.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill description claims broad Binance capabilities such as staking, portfolio management, and 'any Binance operation,' but the implementation supports only a limited subset of account queries and futures actions. In an agent setting, overstated capability is dangerous because users or orchestrators may trust the tool for operations it does not safely implement, leading to misuse, failed safeguards, or unintended trading behavior.

Intent-Code Divergence

Low

Confidence: 94% confidence
Finding: The CLI advertises spot-buy and spot-sell commands even though they are not implemented. This inconsistency can mislead an operator or an autonomous agent into believing live spot trading is available, causing incorrect planning, failed executions, or fallback to unsafe alternative behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation text is so broad that the skill could be selected for nearly any Binance-related request, including ambiguous prompts that should not result in live trading. In the context of a skill capable of authenticated spot and futures orders, overbroad triggering materially increases the chance of unintended execution and financial loss.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises high-risk actions such as futures trading and leverage up to 125x without an upfront warning that these actions can cause rapid, irreversible losses. Because the skill includes direct market-order examples and authenticated execution paths, weak warning and consent UX makes accidental destructive trading substantially more dangerous.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code places live futures orders immediately from command-line input without any explicit confirmation, preview, dry-run, or policy gate. In a high-risk financial context, especially with futures trading and potentially high leverage, a mistaken invocation or malicious agent instruction can trigger irreversible market exposure and rapid financial loss.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The close_position workflow automatically submits a reduce-only market order as soon as it detects a non-zero position, with no user acknowledgment. Because this operates on live futures positions, an erroneous symbol, compromised agent, or accidental command can force immediate liquidation behavior and realize losses.

External Transmission

Medium

Category: Data Exfiltration
Content: QUERY="symbol=${SYMBOL}&side=BUY&type=MARKET&quantity=${QUANTITY}&timestamp=${TIMESTAMP}" SIGNATURE=$(echo -n "$QUERY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2) curl -s -X POST "https://api.binance.com/api/v3/order?${QUERY}&signature=${SIGNATURE}" \ -H "X-MBX-APIKEY: ${API_KEY}" | jq '.' ```
Confidence: 94% confidence
Finding: https://api.binance.com/

External Transmission

Medium

Category: Data Exfiltration
Content: QUERY="symbol=${SYMBOL}&side=SELL&type=MARKET&quantity=${QUANTITY}&timestamp=${TIMESTAMP}" SIGNATURE=$(echo -n "$QUERY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2) curl -s -X POST "https://api.binance.com/api/v3/order?${QUERY}&signature=${SIGNATURE}" \ -H "X-MBX-APIKEY: ${API_KEY}" | jq '.' ```
Confidence: 94% confidence
Finding: https://api.binance.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal