Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Binance Square Post
v1.1.0发送内容到 Binance Square(币安广场)。 支持纯文字帖子,可带 $代币标签(如 $BTC)和 #话题标签。 集成每日新闻简报功能,自动获取 Web3/AI 热点并发布到 Square。 用户需要先配置自己的 API Key 才能使用。
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality (post text to Binance Square, fetch news from external API, publish daily digest) is coherent with the name/description. However the skill does not declare any required credentials in the registry metadata while the SKILL.md instructs the user to embed their Square OpenAPI Key into the skill config (a mismatch between declared requirements and actual needs).
Instruction Scope
Runtime instructions only call Binance Square endpoints and third‑party news endpoints (6551.io), which is consistent with posting and auto-news features. Concerns: it tells users to place their API key directly in SKILL.md (plaintext secret storage), and it enables scheduled automatic fetching from 6551.io and posting to Binance — this gives the skill authority to autonomously publish content using the user's key. The instructions do not limit or sanitize content sources beyond 'A+ filtering', and they provide broad discretion for automatic generation and posting.
Install Mechanism
This is an instruction-only skill with no install spec and no files executed on install, which minimizes installation-level risk. There are no downloads, packages, or binaries installed by the skill.
Credentials
The skill requires the user's Binance Square OpenAPI Key to function but the registry lists no required env vars or primary credential; instead the SKILL.md instructs embedding the key in the skill file. This is disproportionate from a configuration/secret-handling best-practices perspective. The skill also calls an external third-party API (ai.6551.io) — while that service doesn't require credentials in the doc, automatic fetches mean external content can influence what is posted under the user's identity.
Persistence & Privilege
The skill is not marked 'always: true'. Autonomous invocation is allowed (default) and the SKILL.md explicitly supports scheduled daily posts (cron), which could result in recurring autonomous posts using the user's API key. That is expected for an auto-posting skill, but it increases blast radius if the key is misconfigured or the source feeds are untrusted.
What to consider before installing
Before installing: 1) Do not paste your Binance API key into a repository or plain SKILL.md if that file can be stored/shared — prefer the platform's secret store or environment variables. 2) Verify the Binance endpoint and header names against official Binance Square OpenAPI docs to ensure authenticity. 3) Limit the API key permissions (use minimal scopes) and create a key you can safely rotate. 4) Be cautious enabling daily automatic posts — test manual posting first to confirm content formatting and filtering. 5) Vet the third-party news source (https://ai.6551.io); automatic fetching means external content can be posted under your account. 6) Monitor activity and rotate/revoke the key immediately if you see unexpected posts. If you cannot avoid storing the key in a file, never commit that file to shared repos and consider using a dedicated, low-permission key for testing.Like a lobster shell, security has layers — review code before you run it.
latestvk974nw32rr34bheht9zt7mx5xh83c2ce
License
MIT-0
Free to use, modify, and redistribute. No attribution required.