Skillv1.0.0

ClawScan security

AegisClaw - 金甲龙虾 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 1:51 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions largely match a Binance trading/security assistant, but there are clear metadata and packaging inconsistencies (missing declared env vars, claiming to be instruction-only while including many code files), plus undeclared environment usage (Telegram config, proxy env), so you should verify repository origin and review the code before installing or providing API keys.
Guidance: Do not install or provide real Binance API keys until you verify the source repository and review the code (especially openclaw_plugin/plugin.py and install.py). Specific actions: - Confirm the plugin's canonical repository (the SKILL.md points to https://github.com/hyy2099/aegisclaw). Inspect that upstream repo and commit history. - Review openclaw_plugin/plugin.py and main.py to see how credentials are stored/transmitted and whether any external endpoints beyond Binance/Telegram are contacted. - Only create a Binance sub-account with minimal funds and generate an API key with trading (SPOT) enabled and WITHDRAW disabled; bind key to IP whitelist if possible. - Look for undeclared env vars (TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID, HTTPS_PROXY) and decide whether you want notification features; ensure they are set only if you trust the code. - If you lack the expertise to audit the code, run the skill in an isolated environment (isolated VM/container) and use testnet keys first (set BINANCE_TESTNET=true) to observe behavior before providing real credentials. - Prefer to avoid giving full keys until you confirm that the skill does not exfiltrate data or call unknown endpoints; check network activity during a test run. These inconsistencies (missing declared env vars and install claims) are not proof of malice but are reason to pause and verify before giving it access to your funds.

Review Dimensions

Purpose & Capability: concernThe skill's name/description and code implement Binance account management, arbitrage scanning, dust sweeps and reporting — that capability reasonably requires BINANCE_API_KEY and BINANCE_API_SECRET. However the registry metadata at the top lists no required environment variables or primary credential, which contradicts the SKILL.md and code. The project also contains setup.py, requirements.txt and multiple Python modules (not an instruction-only bundle), so the 'instruction-only'/install claim is inconsistent with the actual package contents.
Instruction Scope: concernSKILL.md explicitly requires Binance API credentials and lists commands (init, scan, dust, arbitrage, etc.) which align with code. But SKILL.md and the registry disagree (registry omitted required env vars). The instructions mention scheduled tasks and automated workflows — combined with code that can place orders (new_order, dust_transfer) this grants the plugin broad ability to interact with user accounts. The SKILL.md does not mention some environment/config values the code reads (e.g., Telegram bot token, HTTPS_PROXY), which is a scope discrepancy.
Install Mechanism: concernThe manifest says 'No install spec — instruction-only', yet the package contains many code files, setup.py and requirements.txt, implying it is intended to be installed/run. There is no explicit install URL or packaged release, and the clawhub/CLAWHUB instructions reference publishing. This mismatch (claimed instruction-only vs actual code) is an integrity/packaging concern you should resolve by verifying the source repository.
Credentials: concernSKILL.md and config.py require BINANCE_API_KEY and BINANCE_API_SECRET (expected for Binance operations). However: (1) the registry metadata omitted these required env vars, (2) config.py also reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID though SKILL.md doesn't document them, and (3) the API client will honor HTTPS_PROXY/HTTP_PROXY environment variables. Requiring API keys for trading is expected, but any undeclared tokens or network/proxy behavior should be made explicit before trusting keys. Ensure withdraw privilege is disabled and permissions are limited to SPOT/trade only.
Persistence & Privilege: notealways:false (no forced global inclusion). The skill persists data locally in an SQLite DB (db/aegisclaw.db) and logs operations — this is expected for reports/auditing. The plugin can be invoked autonomously (platform default); combined with trading capabilities this increases blast radius if misused, but autonomous invocation alone is not a disqualifier. There's no evidence the skill attempts to modify other skills or system-wide configs.