binance-square-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto research scraper that saves local reports and can optionally send a summary to Telegram when explicitly invoked.

Install only if you are comfortable with Puppeteer scraping public Binance Square pages and saving the resulting dataset locally. Use a dedicated Telegram bot token for scan:tg, avoid passing private files to the Telegram helper, and treat the generated signals as research rather than financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill supports sending generated report content to Telegram, an external third-party service, without a prominent user-facing warning at the point of use about what data leaves the local environment. This creates a real risk of unintended disclosure of scraped content, trading conclusions, or other sensitive user-derived context if the mode is invoked or default behavior is misunderstood.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal