ClawHub

Binance Spot OpenAPI Skill

v1.0.1

Operate Binance Spot market, account, and order APIs through UXC with a curated OpenAPI schema, Binance query signing, and separate mainnet/testnet link flows.

0· 291·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and files (OpenAPI schema, usage patterns, and uxc link examples) all align with the stated purpose of operating Binance Spot endpoints. The only external dependency referenced at runtime is uxc and network access to Binance + the GitHub raw schema URL, which is expected for this skill.
Instruction Scope
SKILL.md instructions stay within scope: they describe public reads, signed account/order queries, testnet-first write flows, and mainnet guardrails. The docs instruct storing signing material (private key PEM or HMAC secret) in environment variables or a secret manager; they do not instruct the agent to read unrelated files or exfiltrate data to third-party endpoints outside of Binance or the GitHub raw schema URL.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. The OpenAPI schema is referenced from a raw.githubusercontent.com URL — common practice for schemas but worth verifying integrity if you rely on it. The included validate.sh is a local validation script (requires rg and jq) and not run automatically by the platform.
Credentials
The skill does not declare required env vars in registry metadata, but SKILL.md recommends several BINANCE_* environment variables for Ed25519 or HMAC keys. Those credentials are directly relevant to signing Binance requests and are proportionate; however, the skill asks you to store private key PEM content in environment variables (a convenience that has security trade-offs).
Persistence & Privilege
Skill does not request persistent always:true privilege, does not modify other skills, and is user-invocable. It relies on uxc to perform signed requests; by default the platform allows autonomous invocation, which is normal — there are no other elevated privileges requested by this skill.
Assessment
This skill appears to do what it says: help you call Binance Spot endpoints via your local uxc CLI with a curated OpenAPI schema and query signing. Before installing: ensure you trust the schema URL (raw.githubusercontent.com) and optionally fetch/verify it yourself; prefer storing private keys in a secure vault (1Password, OS keyring, or a secret manager) rather than long-lived plaintext environment variables; keep mainnet keys separate from testnet keys and use the documented testnet-first flow to validate requests before placing mainnet orders; confirm that any agent you give autonomous invocation to should be allowed to run uxc with access to your Binance credentials (if you enable autonomous runs, the agent could trigger API calls using whatever credentials uxc can access). The validate.sh script is a local maintainer helper requiring rg and jq — it is not an installer and does not run automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dk1ya99c7bvhvrc4sxwbknh82yjse

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments