v1.0.0

Binance API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:23 AM.

Analysis

This skill is transparent and testnet-focused, but it can use Binance credentials to access account data and place real trades, so it deserves careful review.

GuidanceInstall only if you want the agent to help operate Binance Spot workflows. Start with testnet, use a dedicated restricted API key, never paste secrets into chat, inspect the ~/binance/ memory files, and approve every production trade explicitly.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

User needs to read Binance market data, place or manage Spot orders ... Promote to `POST /api/v3/order` only when payload and filters are confirmed.

The skill explicitly supports Binance Spot order placement/management, including promotion from test orders to real order endpoints.

User impactIf used with a production key, mistakes or unintended confirmations could result in real trades or order changes.

RecommendationUse testnet by default, require per-order confirmation showing symbol, side, quantity, price, and environment, and avoid production trading unless you intentionally need it.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

sdk-cli.md

pip install binance-sdk-spot
npm install @binance/spot
go get github.com/binance/binance-connector-go

The optional SDK examples install external packages without pinned versions.

User impactInstalling unpinned packages can pull unexpected versions or introduce dependency risk.

RecommendationVerify package provenance against Binance documentation and pin versions if you choose to install SDKs.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

`BINANCE_API_KEY` and `BINANCE_API_SECRET` for signed Spot requests

Signed Binance account and trading APIs require credentials that may carry real account authority.

User impactA production Binance API key could expose account information and allow trading actions depending on the key's permissions.

RecommendationUse a dedicated least-privilege Binance API key, prefer testnet keys, disable unnecessary permissions such as withdrawals, use IP restrictions where possible, and rotate keys if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

memory-template.md

`complete` | Stable operating context | Execute quickly with stored defaults

The skill stores persistent operating preferences and may reuse them in later Binance workflows.

User impactOutdated or incorrect saved defaults could influence future trading decisions or workflow shortcuts.

RecommendationReview ~/binance/memory.md regularly, keep secrets out of these files, and require fresh confirmation for any production trading action regardless of stored defaults.