ClawHub

Crypto Scalper Bot

Security checks across malware telemetry and agentic risk

Overview

This is a real Binance futures trading bot, but several setup and QA paths can use live credentials or trigger live trading in ways the labels do not clearly disclose.

Review before installing. Use only a dedicated restricted Binance API key with withdrawals disabled and IP allowlisting if available, verify the Telegram destination, fix run_qa.sh before using QA or cron, and do not run this with live funds until you have added a dry-run/testnet mode and clear confirmation or risk limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Tainted flow: 'url' from os.environ.get (line 114, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
url = f"{BINANCE_FUTURES_API}{endpoint}?{query}&signature={signature}"
    headers = {'X-MBX-APIKEY': API_KEY}
    if method == 'GET':
        r = requests.get(url, headers=headers, timeout=10)
    elif method == 'POST':
        r = requests.post(url, headers=headers, timeout=10)
    elif method == 'DELETE':
Confidence
97% confidence
Finding
r = requests.get(url, headers=headers, timeout=10)

Tainted flow: 'url' from os.environ.get (line 114, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
        url = f"https://api.telegram.org/bot{TELEGRAM_TOKEN}/sendMessage"
        data = {"chat_id": TELEGRAM_CHAT_ID, "text": message, "parse_mode": "HTML"}
        r = requests.post(url, data=data, timeout=10)
        return r.json().get('ok', False)
    except:
        print(f"📱 Telegram: {message}")
Confidence
93% confidence
Finding
r = requests.post(url, data=data, timeout=10)

Tainted flow: 'url' from os.environ.get (line 114, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if method == 'GET':
        r = requests.get(url, headers=headers, timeout=10)
    elif method == 'POST':
        r = requests.post(url, headers=headers, timeout=10)
    elif method == 'DELETE':
        r = requests.delete(url, headers=headers, timeout=10)
    return r.json()
Confidence
97% confidence
Finding
r = requests.post(url, headers=headers, timeout=10)

Tainted flow: 'url' from os.environ.get (line 72, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
url = f"{BASE_URL}{endpoint}?{query}&signature={signature}"
    headers = {'X-MBX-APIKEY': API_KEY}
    if method == 'GET':
        r = requests.get(url, headers=headers, timeout=10)
    elif method == 'POST':
        r = requests.post(url, headers=headers, timeout=10)
    elif method == 'DELETE':
Confidence
87% confidence
Finding
r = requests.get(url, headers=headers, timeout=10)

Tainted flow: 'url' from os.environ.get (line 72, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
        url = f"https://api.telegram.org/bot{TELEGRAM_TOKEN}/sendMessage"
        data = {"chat_id": TELEGRAM_CHAT_ID, "text": message, "parse_mode": "HTML"}
        requests.post(url, data=data, timeout=10)
        return True
    except:
        print(f"📱 {message}")
Confidence
89% confidence
Finding
requests.post(url, data=data, timeout=10)

Tainted flow: 'url' from os.environ.get (line 72, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if method == 'GET':
        r = requests.get(url, headers=headers, timeout=10)
    elif method == 'POST':
        r = requests.post(url, headers=headers, timeout=10)
    elif method == 'DELETE':
        r = requests.delete(url, headers=headers, timeout=10)
    return r.json()
Confidence
87% confidence
Finding
r = requests.post(url, headers=headers, timeout=10)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring claims this is a 'Safe export version - uses env vars only,' but the script also reads local credential files and performs live trading plus Telegram transmission. Misleading safety claims are dangerous because they can lower operator suspicion and cause users to run a high-risk skill under false assumptions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The docstring labels the file as a 'Safe export version' even though the code loads real credentials, performs authenticated Binance Futures requests, places market orders, closes positions, and sends Telegram notifications. Mislabeling an actively trading script as safe materially increases the chance a user executes it under false assumptions.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The docstring presents the script as a 'Safe export version' and 'System Health Check', but the code performs authenticated live Binance actions and sends Telegram messages. That mismatch is dangerous because it can mislead operators into running a script they believe is read-only when it can interact with trading infrastructure and potentially place orders.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as a setup verification tool, but it does more than local validation: it loads live Binance credentials and performs an authenticated account query. That mismatch can cause users to run a script they believe is non-destructive or offline when it actually transmits secrets-derived requests to a third-party service and accesses account data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises and operationalizes an automated Binance Futures trading bot without a clear warning that executing the provided commands can place real leveraged trades on a live account. In this context, omission of that warning is dangerous because users may treat the skill like a harmless utility or backtesting tool and unintentionally incur rapid financial losses, liquidation risk, or account exposure once credentials are configured.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script exposes direct order-placement and position-closing helpers for market orders, and the main flow calls them automatically without any explicit confirmation or safety interlock. In a trading skill, this is a real vulnerability because logic bugs, hostile modifications, or bad signals can immediately trigger irreversible financial transactions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The functions defined here place and close market orders directly, and later logic invokes them automatically based on signals and position checks without user confirmation. In the context of an agent skill, this is especially dangerous because execution can cause immediate financial loss, unintended leverage exposure, and irreversible trades on a live account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently loads Binance and Telegram credentials from local env files and uses them for live authenticated actions and external messaging without prominent disclosure. In a shared agent/workspace environment, that increases the chance of accidental use of sensitive credentials and unintended account activity.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script silently loads secrets from multiple local env files, including workspace and root-relative paths, without clearly informing the user. In an agent-skill context, undisclosed credential discovery increases risk because execution may access sensitive tokens the operator did not intend to expose to this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script makes authenticated requests to Binance and Telegram and transmits account status and issue data externally without a clear consent or disclosure boundary. In a skill environment, hidden outbound communications are more dangerous because they can expose operational metadata and trigger external effects under the user's credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sources a credential file directly and echoes part of the API key to the terminal, increasing the chance that secrets are exposed via terminal logs, screenshots, shell history capture tools, or CI output. It also treats an env file as shell code, so a maliciously modified file could execute arbitrary commands when sourced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs an authenticated Binance API request using user credentials without a clear warning that account data will be queried and transmitted over the network. In a setup-check context, that can mislead users about the sensitivity of the action and increases the risk of unintended disclosure or use of production credentials.

Credential Access

High
Category
Privilege Escalation
Content
echo ""
echo "📁 Checking env files..."

if [ -f "binance.env" ]; then
    source binance.env
    if [ -n "$BINANCE_API_KEY" ] && [ -n "$BINANCE_API_SECRET" ]; then
        echo "✅ binance.env: Found (${BINANCE_API_KEY:0:10}...)"
Confidence
93% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
echo "📁 Checking env files..."

if [ -f "binance.env" ]; then
    source binance.env
    if [ -n "$BINANCE_API_KEY" ] && [ -n "$BINANCE_API_SECRET" ]; then
        echo "✅ binance.env: Found (${BINANCE_API_KEY:0:10}...)"
    else
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
echo "❌ binance.env: Not found!"
fi

if [ -f "telegram.env" ]; then
    source telegram.env
    if [ -n "$TELEGRAM_BOT_TOKEN" ] && [ -n "$TELEGRAM_CHAT_ID" ]; then
        echo "✅ telegram.env: Found"
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Try to fetch balance
echo ""
echo "🌐 Testing Binance connection..."
if [ -f "binance.env" ]; then
    source binance.env
    python3 << 'PYEOF'
import os, requests, hmac, hashlib, time
Confidence
95% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
source binance.env
    python3 << 'PYEOF'
import os, requests, hmac, hashlib, time
for env_file in ['binance.env']:
    with open(env_file) as f:
        for line in f:
            if '=' in line:
Confidence
94% confidence
Finding
.env'

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal