APEX IA Scanner
WarnAudited by ClawScan on May 11, 2026.
Overview
This is presented as a Binance Futures scanner, but the bundled code contains hardcoded Binance credentials, automatic futures order execution, and runtime package installation.
Review carefully before installing or running. Treat this as more than a scanner: remove or ignore the trading scripts, do not use bundled credentials, do not add real Binance keys unless you fully understand the order-execution code, and avoid running files that install packages through shell commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user runs these scripts or adapts them to real credentials, the skill could place unexpected leveraged crypto futures trades and create financial exposure.
The included code can automatically submit leveraged Binance Futures market orders and explicitly disables stop loss in this variant, which goes beyond the advertised scanner behavior.
let MAX_LEVERAGE = 20; ... let USE_STOP_LOSS = false; ... let autoTrade = true; ... await binanceRequest('POST', '/fapi/v1/order', { ... type: 'MARKET' ... }, true);Separate scanning from trading, default all trading to off, require explicit per-order user confirmation, document risk limits, and remove high-risk aggressive defaults.
Bundled trading credentials can be exposed or misused, and users may not realize the skill contains account-level trading authority.
Binance API credentials are hardcoded and used for signed account/order requests, while the registry metadata declares no required credentials.
const API_KEY = 'Dq0...'; const API_SECRET = '1kV...'; ... headers: { 'X-MBX-APIKEY': API_KEY }Revoke and rotate the exposed keys, remove secrets from source, require user-provided scoped testnet/mainnet credentials via environment variables, and declare the credential requirement clearly.
Running the script can modify the local Node environment and fetch external package code unexpectedly.
A source file invokes a shell command to install an npm package, despite the skill having no install spec or declared setup step.
execSync('npm install ws', { stdio: 'inherit' });Move dependencies to package.json/package-lock, avoid runtime shell installation, and require explicit user approval for any setup command.
Users could install the skill expecting only market scanning while overlooking bundled automated trading behavior.
The commercial documentation suggests automatic execution is not part of the free/pro scanner tiers, but included source files set autoTrade to true and implement order execution.
| Execução automática | ❌ | ❌ | ✅ |
Align the documentation with the included code, remove unused trading bots from the scanner package, or clearly label them as disabled examples.