Security audit

币安撸毛助手 By：0x_WanG

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Binance and airdrop activity information and saves limited local reports, with no evidence of credential use, account access, or destructive behavior.

Install only if you are comfortable with the skill contacting Binance and alpha123.uk and saving Markdown reports under your OpenClaw workspace. Treat airdrop and earning information as informational, verify offers on official Binance pages before acting, and be aware that the default filtering favors Chinese-region activities and UTC+8 timing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares environment-variable access, local file persistence, and outbound network use in its content, but the static finding indicates these capabilities are not expressed through a formal permissions model. That creates a transparency and consent gap: a user or platform may invoke the skill expecting a simple informational tool while it can still write files and contact external services. In this context, the behavior appears aligned with the feature set rather than overtly malicious, but undeclared capabilities are still risky because they reduce auditability and user control.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is Binance activity discovery, but the finding shows additional behavior: querying a third-party site (alpha123.uk), exporting verification artifacts to local files, and including bulk scraping/debug workflows. Description-to-behavior mismatch is dangerous because users may consent to one scope of activity while the skill performs broader collection, persistence, and external communication than expected. The risk is elevated here because third-party fetching and silent local exports expand both privacy and supply-chain exposure beyond the stated Binance-only use case.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill fetches 'Alpha 空投预告' data from alpha123.uk, a third-party site unrelated to Binance, while the rest of the skill is framed as a Binance activity assistant. This expands the trust boundary to an unverified external source, enabling misinformation, manipulated promotions, or unexpected content to be surfaced to users under the appearance of curated financial guidance.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The header comments and rendered output claim that '所有数据来自币安 API 实时获取，确保准确', but the code also includes scraped data from alpha123.uk. This is a trust and provenance integrity issue: users may rely on financial/promotional information believing it is official Binance data when it is not, increasing the risk of deception or bad decisions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script persists a report to disk even though the stated skill purpose is to display current Binance earning activity information. Undisclosed local persistence creates a privacy and transparency issue, especially in agent environments where users may not expect filesystem side effects from a read-oriented skill.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes generic phrases such as "赚钱活动" and broad Binance-related queries that can overlap with ordinary user requests, causing the skill to activate when the user may not specifically want this tool. In a financial/promotional context, unintended activation is more sensitive because it can steer users toward time-sensitive earning or airdrop content without clear intent confirmation.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The release notes describe behavior that filters for Chinese-speaking regions and converts times to UTC+8, indicating locale-specific handling without clear user opt-in. This can exclude relevant opportunities, misalign responses with the user's actual region or language preference, and create misleading output in a finance-related assistant where eligibility and timing matter.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: Automatically filtering out non-Chinese-region activities without user opt-in is a hidden behavioral constraint that can bias results and suppress relevant information. While not a classic exploit, it is a trust and integrity issue: users may believe they are seeing comprehensive Binance opportunities when the skill is silently excluding data based on locale assumptions. In this skill's context, the impact is limited but still meaningful because financial/promotional decisions may be based on incomplete output.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Writing a report file without explicit warning or confirmation is a real security-relevant behavior mismatch for a skill presented as informational. In agent/workspace contexts, silent persistence can leak derived user activity, create unwanted artifacts, and surprise users who expect a read-only operation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.