Security audit

Binance Trade Hunter

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Binance trading skill, but it can use stored financial credentials to place live market orders and run Telegram-linked background services with weak built-in safeguards.

Install only if you intentionally want an agent-connected tool that can trade on Binance. Use a restricted Binance subaccount with limited funds, no withdrawal permission, and IP/API restrictions; configure an explicit Telegram chat_id instead of relying on auto-discovery; review every order before execution; avoid broad triggers; and stop background services when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (29)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess # Start as background process (no window) proc = subprocess.Popen( [sys.executable, str(script_path)], cwd=str(_SRC_DIR), stdout=subprocess.DEVNULL,
Confidence: 90% confidence
Finding: proc = subprocess.Popen( [sys.executable, str(script_path)], cwd=str(_SRC_DIR), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdin=subprocess.DEVNU

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup flow instructs the agent to collect a Binance API key and an Ed25519 private key file path, which are highly sensitive authentication materials for real-money trading. Even if trading is the skill's purpose, having the agent solicit and handle these credentials directly increases the risk of secret exposure, logging leakage, or misuse by the agent or adjacent tooling.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documentation instructs the skill to auto-detect the current session's Telegram bot token and chat_id from broader OpenClaw configuration. This is a cross-context secret access pattern that can cause unintended credential reuse and privilege expansion beyond what the user explicitly configured for this skill.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The module contains built-in Telegram transmission logic and uses it in the main runtime path, which sends generated trading alerts to a third-party service. In a trading skill, this creates an unintended data egress channel and expands the trust boundary beyond Binance monitoring, especially because disclosure/consent is not enforced in this file.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The code disables TLS certificate verification for the Binance WebSocket connection via ssl.CERT_NONE, contradicting the apparent purpose of a safe wrapper around market monitoring. This permits man-in-the-middle interception or tampering with live market data, which is especially dangerous in a trading automation context because false prices can trigger misleading alerts or downstream trading actions.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill reads Telegram credentials from a separate OpenClaw configuration and even auto-discovers chat IDs, extending access beyond the skill's declared direct trading purpose. This silently broadens its privilege scope and can enable unauthorized messaging or exfiltration using credentials the user did not explicitly provide to this skill.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill can start and stop independent background processes, giving it persistent operational capability outside the immediate request/response model. In a financial automation context, persistence raises risk because monitoring or push jobs may continue acting or transmitting data after the user no longer expects it.

Vague Triggers

High

Confidence: 92% confidence
Finding: Broad trigger phrases like '买', '卖', 'buy', and 'sell' can match ordinary conversation and unintentionally invoke a skill capable of executing real trades. In a financial skill with direct order placement, ambiguous routing materially increases the chance of accidental activation and unauthorized or mistaken trading actions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The command examples for buy/sell are short, natural-language, and insufficiently scoped for actions that place real market orders. Because the skill supports direct execution, these examples normalize low-friction trading without strong intent verification, increasing risk of accidental or manipulated transactions.

Missing User Warnings

High

Confidence: 87% confidence
Finding: This method can place live market buy orders immediately with no built-in confirmation, dry-run mode, guardrails, or policy enforcement. In the context of a Telegram-triggered trading skill, that increases the chance of unintended or manipulated purchases from prompt injection, user confusion, or automation mistakes, causing direct financial loss.

Missing User Warnings

High

Confidence: 89% confidence
Finding: This method can execute live market sell orders without any confirmation or higher-level safety checks. Because the skill is designed for one-click trading via Telegram, a mistaken command, compromised workflow, or prompt-influenced action could liquidate assets immediately at market price, creating irreversible financial harm.

Missing User Warnings

High

Confidence: 99% confidence
Finding: WebSocket TLS verification is explicitly disabled, so the client does not authenticate the Binance endpoint. An attacker on the network path could spoof or alter ticker data and cause false pump signals, undermining integrity in a system that may influence real-money trades.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The Telegram notification helper transmits alert content to Telegram without any explicit consent or disclosure mechanism in this file. Even if the text is only market alerts, it still sends user- or system-generated data to an external service and could expose trading interests, monitored assets, or operational metadata.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill can send Telegram messages and auto-discover a chat target without any user-facing warning or disclosure. This is dangerous because analysis, account-related information, or alerts could be transmitted to an external destination without the user's informed consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The buy and sell functions execute irreversible market trades directly from function calls without a second-factor confirmation, dry-run preview, or transaction guardrails. In a Binance trading skill, this is especially dangerous because accidental invocation, prompt injection through upstream agent flows, or misunderstanding can cause immediate financial loss.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Starting and stopping detached background processes without clear user safety disclosure can surprise users and create persistent behavior on the host. In this context, such services may keep monitoring markets or pushing messages indefinitely, increasing both operational and privacy risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The module can place live market buy and sell orders immediately after parsing user intent, with no confirmation step, no dry-run mode, no risk limits, and no explicit guardrail before irreversible execution. In the context of a Telegram-triggered trading skill, ambiguous parsing, prompt injection through surrounding agent flows, or accidental user phrasing could directly cause financial loss.

Ssd 3

High

Confidence: 98% confidence
Finding: The setup instructs the agent to solicit sensitive credentials from the user and write them into a local config file for ongoing reuse. Persisting trading credentials in a local file materially increases the blast radius of compromise through file disclosure, logs, backups, workspace sharing, or other skills/processes with filesystem access.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # ============================================================ # 币安 API # ============================================================ python-binance>=1.0.19 ccxt>=4.0.0 # ============================================================
Confidence: 91% confidence
Finding: python-binance>=1.0.19

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 币安 API # ============================================================ python-binance>=1.0.19 ccxt>=4.0.0 # ============================================================ # WebSocket 实时数据
Confidence: 91% confidence
Finding: ccxt>=4.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # ============================================================ # WebSocket 实时数据 # ============================================================ websocket-client>=1.6.0 requests>=2.31.0 urllib3>=2.0.0
Confidence: 90% confidence
Finding: websocket-client>=1.6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # WebSocket 实时数据 # ============================================================ websocket-client>=1.6.0 requests>=2.31.0 urllib3>=2.0.0 # ============================================================
Confidence: 95% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # ============================================================ websocket-client>=1.6.0 requests>=2.31.0 urllib3>=2.0.0 # ============================================================ # 数据处理
Confidence: 95% confidence
Finding: urllib3>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # ============================================================ # 数据处理 # ============================================================ pandas>=2.0.0 numpy>=1.24.0 # ============================================================
Confidence: 83% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 数据处理 # ============================================================ pandas>=2.0.0 numpy>=1.24.0 # ============================================================ # 配置文件
Confidence: 84% confidence
Finding: numpy>=1.24.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal