ClawHub

binance-spot-trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Binance trading bot, but it can place real market orders automatically without a built-in dry-run, confirmation gate, or hard trading limits.

Review carefully before installing. Use only Binance API keys with withdrawals disabled, IP restrictions, and a small isolated sub-account. Add or require a dry-run/live-trading switch, explicit approval before first live order, max trade and daily loss limits, and decide whether sending symbol, price, volume, and indicator context to the SkillBoss/heybossai LLM endpoint is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly requires environment secrets, writes logs/files, and makes network calls, but it does not declare corresponding permissions. This undermines least-privilege controls and informed consent, especially because the skill performs authenticated trading and external API communication with sensitive credentials in scope.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a real and important mismatch because the skill description sounds broadly like market analysis and automation, but the behavior includes live order execution, authenticated balance access, and transmission of market/trade context to a third-party LLM service. In a financial-trading context, under-describing these actions is dangerous because users may invoke the skill without realizing it can place real trades and expose account-related data to external services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation wording is broad enough to match generic requests about trading, automation, DCA, or building bots, which could trigger a skill capable of live financial actions. In this context, over-broad activation is more dangerous than usual because mistaken invocation can lead to credential use, account access, or trade placement in a high-risk domain.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script can place live Binance MARKET orders automatically based on internal signals and an LLM score, without any explicit user confirmation, dry-run safeguard, or default paper-trading mode. In a trading skill context this is especially dangerous because a misconfiguration, prompt/output anomaly, or strategy bug can immediately cause irreversible financial loss on a real exchange account.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The bot sends market context and derived trading indicators to a third-party LLM endpoint without a strong disclosure or consent boundary. While the transmitted data is not the Binance secret itself, it exposes trading intent, symbols, and strategy-derived signals to an external service, which can create privacy, compliance, and supply-chain risk in an autonomous trading system.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal