Binance Pro (Hybrid Labs)
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a real Binance trading integration, but it gives an agent broad authority to use live exchange credentials and place high-risk trades without clear approval guardrails.
Install only if you intentionally want an agent to access and trade on your Binance account. Before using it, create a restricted API key, disable withdrawals, prefer read-only or testnet use first, and require explicit confirmation for every trade, leverage change, or order cancellation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this skill with valid credentials, it could place, close, or alter leveraged crypto trades and cause financial losses.
The skill documents direct live Binance trading calls, including leveraged futures order placement, under a very broad 'any Binance operation' scope. The artifacts do not show approval gates, dry-run mode, position-size limits, or other safeguards before high-impact financial actions.
description: Complete Binance integration ... Trade spot, futures with up to 125x leverage ... and any Binance operation. curl -s -X POST "https://fapi.binance.com/fapi/v1/order?..."
Use only with explicit per-order user confirmation, testnet or read-only mode by default, strict trade-size and leverage limits, and clear review of symbol, side, quantity, order type, and price before every mutation.
A Binance API key with trading permissions can control real funds and open risky positions if misused.
The skill asks for live Binance API credentials capable of account and trading operations, while the supplied registry metadata declares no primary credential or required environment variables. This under-discloses a high-privilege account dependency.
Save to `~/.openclaw/credentials/binance.json`:
{
"apiKey": "YOUR_API_KEY",
"secretKey": "YOUR_SECRET_KEY"
}Declare the credential requirement in metadata, use a least-privilege Binance API key, disable withdrawals, restrict by IP if possible, and consider separate read-only and trading credentials.
Users have limited external provenance information for code that may operate a financial account.
The skill comes from an unknown source with no homepage and includes a Python helper despite having no install spec. The provided code does not show obvious exfiltration, but provenance matters because the skill handles financial credentials.
Source: unknown Homepage: none No install spec — this is an instruction-only skill. Code file presence: binance_cli.py
Review the included code before use, verify the publisher, and avoid supplying live exchange credentials unless the source is trusted.