BNB Chain trading
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a real crypto-trading skill that asks for wallet approvals and signed orders, but its BNB-only listing under-discloses broader multi-chain trading scope and should be reviewed carefully before use.
Treat this as a high-impact crypto trading integration. Before installing or using it with real funds, verify that you trust the Orbs/Spot contracts and relay, confirm the intended chain, inspect every wallet approval and signature prompt, avoid changing the output recipient away from your own wallet, and use limited amounts/deadlines for recurring orders.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are installing a BNB-only trading helper while the agent may treat it as valid for other chains too.
The registry presents the skill as 'BNB Chain trading', but the actual instructions authorize order creation across eight chains. For a wallet-signing trading skill, this under-discloses the asset-moving scope.
## Supported Chains 1. Ethereum - `1` ... 2. BNB Chain - `56` ... 3. Polygon - `137` ... 4. Sonic - `146` ... 5. Base - `8453` ... 6. Arbitrum One - `42161` ... 7. Avalanche - `43114` ... 8. Linea - `59144` ...
Install only if you intend to use this Spot/Orbs workflow across the listed chains, and verify the target chain and contract addresses in every wallet prompt.
Approving or signing the wrong order could allow the protocol contract to spend tokens up to the order's max amount.
The skill asks the user to approve token spending by a contract and then sign EIP-712 data. This is expected for non-custodial trading, but it grants authority over the specified token amount.
If allowance for `input.token` to `typedData.domain.verifyingContract` is lower than `input.maxAmount`, the default suggestion is a standard ERC-20 `approve(typedData.domain.verifyingContract, input.maxAmount)` transaction first.
Review token, amount, spender/verifying contract, recipient, deadline, chain ID, and slippage in the wallet before approving or signing.
Once submitted, an eligible order may be executed according to its signed parameters.
The skill sends a signed trading payload to an external relay. This is purpose-aligned, but the signed payload is what enables the order lifecycle.
Submit this exact relay payload to `https://agents-sink.orbs.network/orders/new`:
```json
{
"order": "<typedData.message>",
"signature": "<full signature or { r, s, v }>",
"status": "pending"
}
```Submit only orders you intentionally approved, and keep the exact typed data and signature so you can query or cancel the order if needed.
A recurring order can keep filling chunks after initial submission, rather than being a one-time action.
The skill supports recurring orders that can continue executing over time until the deadline. This persistence is disclosed and central to TWAP/DCA behavior.
chunked or TWAP = `input.amount < input.maxAmount`; recurring chunked = `epoch > 0` ... `deadline = start + 300 + chunkCount * epoch`
Use conservative max amounts and deadlines for recurring orders, and understand the cancellation flow before placing them.
Users may need extra verification that this registry package matches the intended upstream Spot/Orbs skill and contract set.
The bundled package metadata identifies a different package name/version than the registry listing. There is no installable code here, but provenance matters for a skill that hardcodes contracts and relay endpoints.
"name": "@orbs-network/spot-skill", "version": "2.5.5", "repository": { "type": "git", "url": "git+https://github.com/orbs-network/spot.git" }Verify the upstream repository, audit link, relay endpoint, and contract addresses independently before using real funds.