ClawHub

AegisClaw - 金甲龙虾

Security checks across malware telemetry and agentic risk

Overview

This Binance skill is mostly coherent with its stated purpose, but it can use live exchange credentials to change account balances without a clear confirmation or dry-run safeguard.

Review carefully before installing. Use a dedicated low-balance Binance sub-account, create a least-privilege API key, disable withdrawals and futures unless explicitly needed, enable IP restrictions, and prefer testnet first. Do not pass API secrets through chat commands if your environment logs messages. Treat dust sweep as a live asset conversion that can change balances and incur fees; do not run it unless you intentionally want those assets converted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill requests highly sensitive Binance API credentials and the associated implementation reportedly has access to env, file read/write, network, and shell capabilities, yet the manifest does not declare permissions. This undermines reviewability and least-privilege controls, making it easier for a user or host system to grant broad capabilities without understanding the real risk surface around secrets, trading actions, and local persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the skill as security checking, scanning, reporting, and dust management, but the implementation reportedly includes live order placement/cancellation, local SQLite storage, Launchpool discovery, and install-time package or environment modification. This mismatch is dangerous because users may authorize or run the skill expecting passive analysis while it can perform account-impacting financial operations and store sensitive trading data locally.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill declares Binance asset management functionality, but this file also provisions Telegram bot credentials, creating an undeclared secondary communication channel. In a financial automation context, extra credentialed integrations expand the attack surface and can enable silent exfiltration of account data, alerts, or operational details if later used elsewhere in the skill.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The client exposes live trading and order-cancellation primitives (`new_order`, `cancel_order`) even though the skill metadata frames the tool around asset management, security checks, arbitrage scanning, and dust sweeps. This scope expansion is dangerous because an agent or prompt path that should only inspect or scan can instead place or cancel real market activity using the configured Binance credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code presents itself as checking for dangerous API permissions, but it does not actually verify whether most forbidden permissions are enabled on the Binance API key. Instead, it unconditionally copies configured forbidden permissions into the 'dangerous' list, which can mislead users into believing a real security validation occurred and produce inaccurate security scores and recommendations in a high-risk financial automation context.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The comments say restricted permissions should not be actively tested, yet the code directly probes a futures endpoint using the configured session. In a trading skill that handles real Binance credentials, undocumented live probing can create side effects such as unexpected API activity, misleading permission inference, rate-limit consumption, and inconsistent behavior if authentication headers are sent automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place Binance API credentials in a .env file but provides no warning about secret handling, storage hygiene, scoping, or the risks of using high-privilege exchange keys. In the context of a finance/trading skill that can access real exchange accounts, this increases the likelihood of credential leakage, misuse, or unsafe deployment practices leading to account compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command list advertises actions such as arbitrage scanning and dust conversion without user-facing warnings about financial risk, possible order execution, fees, tax/accounting implications, or irreversible asset conversions. Because this skill is specifically for Binance asset management, even seemingly routine commands can materially affect account balances and expose users to unintended trades or losses.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README presents commands like dust conversion and arbitrage actions in a routine, low-friction way, but does not place an explicit, prominent warning before those examples that they can affect real Binance assets and may execute live account actions. In the context of an AI agent skill that can be invoked automatically, this increases the risk of unintended trades, conversions, or account changes by users or downstream agents.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill advertises automated dust conversion and arbitrage-oriented actions without a clear warning that these can change account balances, incur fees, create tax/reporting consequences, or produce losses. In a financial context, omission of explicit risk and account-impact disclosures can mislead users into enabling automation on real exchange accounts without informed consent.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
Calling funding-rate arbitrage 'risk-free' is materially misleading because execution risk, basis risk, funding changes, liquidity constraints, latency, fees, liquidation exposure, and API or exchange issues can all cause losses. This claim is especially dangerous in a Binance-integrated skill because it may encourage users to trust automation with real funds under false assumptions of safety.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Describing the tool as a 'risk-free profit guardian' is an unjustified financial safety claim that can create overconfidence and reduce user scrutiny around API permissions, automated conversions, and possible trading behavior. In the context of a skill handling exchange credentials and potentially placing orders, such marketing language increases the chance of unsafe real-world use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly asks users to provide Binance API credentials and advertises automated trading actions such as arbitrage and dust conversion, but it gives no warning about credential sensitivity, trading risk, or recommended account permission restrictions. In a crypto-financial context, this omission is dangerous because users may supply high-privilege keys or trigger real-money actions without understanding loss, liquidation, or account-compromise consequences.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Automatically loading a local .env file causes the skill to ingest secrets from the working directory without any explicit user action at runtime. In an agent-skill setting, this increases the chance of unintentionally pulling sensitive credentials from local storage and makes secret use less transparent, especially for a high-risk Binance trading skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code permits destructive account-affecting actions such as placing and cancelling orders with no visible confirmation, dry-run gate, or secondary approval step. In an agent setting, this materially increases the chance of accidental or prompt-induced unauthorized trades because a single tool invocation can directly impact funds.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The dust conversion endpoints perform real account-affecting conversions without any explicit warning or confirmation in this client layer. Even if dust sweeping is mentioned in the skill description, executing asset conversions silently in an autonomous workflow can cause unintended portfolio changes and user surprise.

Missing User Warnings

High
Confidence
98% confidence
Finding
The function directly invokes `dust_transfer(assets)` and converts user assets to BNB without any explicit confirmation, preview, or secondary approval step. In a finance skill with live Binance credentials, this can cause unintended asset conversion and irreversible user-impacting account changes if triggered by mistake, prompt injection, or ambiguous instructions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI exposes a dust-sweep action that can trigger live asset conversion immediately when the --dust flag is used, with no interactive confirmation, dry-run mode, or secondary safeguard in this entrypoint. In a financial asset-management skill connected to real Binance credentials, this increases the risk of accidental or scripted execution causing unintended trades or irreversible balance changes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The plugin accepts API keys and secrets directly via command arguments and stores them in shared runtime configuration without any warning about secret exposure risks. In an agent/plugin context, command arguments may be logged, echoed in chat history, retained by orchestration layers, or exposed to other components, making credential compromise more likely.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The status command retrieves live account balances from Binance and formats them for output, but this file does not clearly disclose that invoking the command causes external network access and fetches sensitive financial data. In a tool-using agent environment, users may not realize a seemingly local status request exposes account information to external services and plugin output channels.

Missing User Warnings

High
Confidence
94% confidence
Finding
The dust sweep command can execute an account-affecting conversion/trade path immediately after initialization with no explicit confirmation, preview, or dry-run safeguard in this file. Because it can alter holdings on a real exchange account, accidental invocation, prompt confusion, or agent misuse could cause unintended asset conversion and financial loss.

External Script Fetching

High
Category
Supply Chain
Content
**安装 Claude Code**
```bash
# macOS/Linux
curl -fsSL https://cdn.anthropic.com/install.sh | sh

# Windows (使用 scoop)
scoop install claude-code
Confidence
98% confidence
Finding
curl -fsSL https://cdn.anthropic.com/install.sh | sh

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 金甲龙虾 (AegisClaw) 依赖

# HTTP 请求
requests>=2.31.0

# 环境变量
python-dotenv>=1.0.0
Confidence
88% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0

# 环境变量
python-dotenv>=1.0.0

# 日期处理
python-dateutil>=2.8.2
Confidence
84% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0

# 日期处理
python-dateutil>=2.8.2

# 数据可视化(可选,用于海报生成)
matplotlib>=3.8.0
Confidence
82% confidence
Finding
python-dateutil>=2.8.2

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal