Binance Trade Hunter
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: binance-trade-hunter Version: 1.4.0 The skill is a functional Binance trading bot that performs market analysis and automated trade execution. It is classified as suspicious because it implements several high-risk behaviors that, while plausibly necessary for its stated purpose, grant the agent significant privileges: it automatically reads the global OpenClaw configuration file (~/.openclaw/openclaw.json) to harvest Telegram bot tokens, manages long-running background processes via subprocess.Popen, and handles sensitive Binance Ed25519 private keys for real-money transactions. The skill also uses the Telegram getUpdates API (in tg_config.py) to auto-discover chat IDs, which involves monitoring recent bot interactions. No clear evidence of intentional malice or data exfiltration to third parties was found, but the broad filesystem access and financial capabilities represent a high-risk attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is over-scoped, mishandled, or used unexpectedly, the agent can trade real funds and credential compromise could cause financial loss.
The skill requires credentials capable of trading on a Binance account. That authority is high impact, and the registry metadata declares no primary credential or required config path.
Ask the user for their Binance API Key and Ed25519 private key file path ... API Key must have Spot Trading permission enabled
Use a Binance subaccount with no withdrawal permission, IP restrictions, and a small balance. The skill should declare these credentials in metadata and enforce least-privilege limits.
An accidental or misunderstood invocation could buy or sell cryptocurrency with real money.
The trade executor directly submits signed Binance MARKET orders. The shown code executes the order for the passed symbol and amount without a visible built-in confirmation gate, maximum order size, or trading allowlist.
params = {"symbol": symbol, "side": "BUY", "type": "MARKET", "quoteOrderQty": f"{usdt_amount:.2f}"} ... self.client._request("POST", "/api/v3/order", params=params, signed=True)Require explicit per-order confirmation, show the exact symbol/side/amount before execution, and add code-level safeguards such as max order size, dry-run mode, and optional symbol allowlists.
Trading alerts or prompts could be sent to the wrong Telegram chat, potentially exposing activity or inviting unintended users to interact with the bot.
When chat_id is not configured, the skill chooses the most recent private Telegram chat from bot updates, which may not be the current OpenClaw conversation or intended recipient.
Fallback: getUpdates API to find the most recent private chat_id ... url = f"https://api.telegram.org/bot{bot_token}/getUpdates" ... if chat.get("type") == "private": ... return cidRequire an explicit, verified chat_id for notifications or a trusted current-session value; avoid getUpdates auto-discovery for financial workflows.
Monitoring and Telegram pushes may continue until the user explicitly stops them.
The skill discloses long-running pump alert and coin push services. They are purpose-aligned and user-started, but they persist beyond a single chat response.
Background services run as independent processes. Use service_status to check.
Start background services only when needed, periodically check service_status, and stop them when no longer desired.
Future dependency versions could change behavior or introduce vulnerable packages.
The skill installs third-party packages using broad minimum-version ranges rather than pinned versions or a lockfile.
python-binance>=1.0.19 ccxt>=4.0.0 websocket-client>=1.6.0 requests>=2.31.0
Pin dependency versions, provide a lockfile or hashes, and install in an isolated virtual environment.