ClawHub

Binance Square Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for Binance Square posting, but it asks for full Binance session credentials and includes broad browser/session probing tools that need careful review before use.

Install only if you are comfortable giving the skill full active Binance web-session credentials and posting authority. Use a dedicated low-privilege account if possible, keep cookies and .env/config files out of repositories and logs, avoid the CDP/probe/analyze scripts unless you understand their side effects, and do not pass untrusted image URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented API surface includes additional private capabilities such as draft saving, vote creation, image upload, and pre-check that go beyond the declared scope of session validation, publishing posts, and status checks. This mismatch increases the chance that an agent or reviewer underestimates what the skill can do, which can enable unauthorized or unexpected actions if these endpoints are exposed through the implementation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script accepts Binance session cookies from a file, CLI flag, or environment variable and injects them into a Playwright browser context, enabling authenticated browsing with a real user session. In the context of a publishing skill, this broadens scope into session reuse and account impersonation; if misused or combined with logging/capture behavior, it can expose or abuse a user's authenticated Binance account.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script hooks all page requests, filters Binance /bapi/ traffic, and writes URLs, paths, headers, and truncated request bodies to disk as a report. That behavior effectively performs authenticated traffic harvesting and endpoint discovery, which is more powerful than the stated validate/publish/status skill purpose and can leak authorization headers, CSRF tokens, identifiers, and post content into persistent files.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill's advertised scope is publishing to Binance Square, but it also fetches arbitrary attacker-controlled image URLs server-side before re-uploading them. That creates SSRF-style behavior and lets an untrusted caller make the host perform outbound requests to internal services, cloud metadata endpoints, or other sensitive network locations, which is broader and riskier than the declared functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can attach to a live browser via CDP, inject cookies, navigate pages, and execute arbitrary JavaScript expressions in that browser context. In an agent skill, this is a powerful hidden capability because compromise or misuse could leverage an already-authenticated browser session to perform unintended actions, access session-scoped data, or pivot beyond the stated Binance publishing task.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script attaches to a locally exposed Chrome DevTools Protocol endpoint, selects a live browser tab, and executes arbitrary JavaScript fetches in that page context with existing session cookies. That effectively turns a logged-in browser session into an authenticated API probe against undocumented private endpoints, enabling misuse of user authority and discovery of capabilities beyond the declared skill scope.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The endpoint list includes image upload, media upload, draft save, and poll/vote creation operations that exceed the stated publishing/status functionality. Probing extra privileged capabilities increases the chance of unintended account actions and indicates over-collection of access relative to the skill's declared purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The client selects any existing browser page whose URL merely contains "binance.com", or falls back to the first available page, then attaches to that page's CDP session. In an agent context, this can hijack an unrelated authenticated browser tab and execute fetches or cookie injection in the wrong browsing context, enabling unintended actions or data access beyond the intended Binance Square publishing flow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to extract their full Binance authentication cookie header and CSRF token and store them as environment variables, but it does not provide a strong warning that these are highly sensitive account credentials equivalent to session access. If mishandled, logged, or reused outside the intended host, an attacker could hijack the user's Binance session and act on the account, including posting content or potentially accessing other account-scoped actions exposed by the same session.

Missing User Warnings

High
Confidence
95% confidence
Finding
The guide instructs users to extract live Binance authentication material (cookie header, CSRF token, session token) from browser traffic and store it in local configuration, but it does not prominently warn that these values are effectively bearer/session credentials that may enable account access or actions if exposed. In the context of an agent skill that automates posting to a financial platform, encouraging manual credential harvesting from DevTools and reverse-engineered endpoints increases the chance of unsafe handling, accidental leakage, or misuse of a privileged account session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The captured request object includes the full request headers and optional postData, and later the report is written to disk. Because headers commonly contain cookies, auth tokens, anti-CSRF values, and request bodies may contain unpublished content or account metadata, this creates a clear sensitive-data exposure risk on the local filesystem.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script performs authenticated POST requests to private create/publish/draft endpoints using the browser's session credentials, and some of these requests can change account state rather than merely inspect availability. Running such requests without clear notice, dry-run protections, or confirmation can create content, drafts, uploads, or other side effects on the user's Binance Square account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
By using Runtime.evaluate to run fetch with credentials:"include" inside an existing browser page, the script silently leverages the user's authenticated session and can read response bodies from private endpoints. This creates a significant privacy and authorization boundary issue because the user may not realize their active session is being used to access and disclose account-scoped data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function fetches arbitrary user-supplied URLs server-side and then re-uploads the retrieved bytes to another endpoint. This creates an SSRF-style primitive and blind data exfiltration path: an attacker can cause the service to access internal or metadata endpoints, or fetch sensitive resources, and forward their contents as an uploaded 'image' if the response headers and size checks are satisfied.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal