Skillv1.0.0

ClawScan security

Binance Web3 Openapi Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 9:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement read-only Binance Web3 API calls as described, but there are small inconsistencies (undeclared runtime prerequisites and developer checks) you should understand before installing.
Guidance: This skill is largely what it says: a read-only OpenAPI mapping to Binance Web3 public endpoints. Before installing, note that SKILL.md requires the 'uxc' CLI and the binance-web3-openapi-cli link — but the registry metadata doesn't list those binaries; install 'uxc' if you plan to use it. The skill needs network access to web3.binance.com and the raw GitHub schema URL (though a local schema copy is bundled). Be deliberate when supplying wallet addresses (they are sensitive). If you plan to run the included validate.sh, ensure you have ripgrep (rg) and jq available. If these undeclared prerequisites or network accesses are unacceptable in your environment, treat the mismatch as a reason to avoid or further audit the skill.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (public read-only access to Binance Web3 endpoints via uxc + a curated OpenAPI schema) matches the included OpenAPI file and examples. However, the SKILL.md requires the 'uxc' tool and a host CLI alias (binance-web3-openapi-cli) at runtime even though the registry metadata lists no required binaries; the included validation script also expects 'rg' and 'jq'. This is likely an omission in metadata rather than malicious, but it is an inconsistency.
Instruction Scope: okRuntime instructions are narrowly scoped to calling public Binance Web3 endpoints via uxc/binance-web3-openapi-cli, inspecting operation schemas, and passing operation-level headers where required. The instructions require network access to https://web3.binance.com and to the raw.githubusercontent.com schema URL. They do not instruct reading local secrets or other system files, nor do they request credentials. Note: some endpoints (address holdings) accept wallet addresses, which are sensitive user data and should be supplied deliberately by the user.
Install Mechanism: okThis is instruction-only (no install spec) and ships a local OpenAPI JSON copy. No downloads or archive extraction are performed by the skill itself. The only install-related artifact is a validation script (scripts/validate.sh) used by maintainers that requires 'rg' and 'jq'; this script does not appear to run at runtime for agents but does introduce a developer-time dependency.
Credentials: okThe skill does not declare any required environment variables or credentials, which is consistent with its use of public endpoints. There is no evidence in SKILL.md or code that it attempts to access unrelated secrets or environment variables.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It allows autonomous invocation (disable-model-invocation:false), which is normal for skills; no combination of broad privileges is present that would increase concern.