BNB Chain trading
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: bnb-chain-trading Version: 1.0.0 The skill bundle facilitates non-custodial trading on EVM chains (BNB Chain, Ethereum, etc.) via the Orbs Network 'Spot' protocol. It provides structured instructions for an agent to build, sign, and submit EIP-712 order payloads to a designated relay endpoint (agents-sink.orbs.network). The documentation (SKILL.md, README.md) and templates (repermit.template.json) are consistent with the stated purpose of advanced order types like TWAP and stop-loss. No indicators of malicious intent, such as secret exfiltration or unauthorized execution, were detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are installing a BNB-only trading helper while the agent may treat it as valid for other chains too.
The registry presents the skill as 'BNB Chain trading', but the actual instructions authorize order creation across eight chains. For a wallet-signing trading skill, this under-discloses the asset-moving scope.
## Supported Chains 1. Ethereum - `1` ... 2. BNB Chain - `56` ... 3. Polygon - `137` ... 4. Sonic - `146` ... 5. Base - `8453` ... 6. Arbitrum One - `42161` ... 7. Avalanche - `43114` ... 8. Linea - `59144` ...
Install only if you intend to use this Spot/Orbs workflow across the listed chains, and verify the target chain and contract addresses in every wallet prompt.
Approving or signing the wrong order could allow the protocol contract to spend tokens up to the order's max amount.
The skill asks the user to approve token spending by a contract and then sign EIP-712 data. This is expected for non-custodial trading, but it grants authority over the specified token amount.
If allowance for `input.token` to `typedData.domain.verifyingContract` is lower than `input.maxAmount`, the default suggestion is a standard ERC-20 `approve(typedData.domain.verifyingContract, input.maxAmount)` transaction first.
Review token, amount, spender/verifying contract, recipient, deadline, chain ID, and slippage in the wallet before approving or signing.
Once submitted, an eligible order may be executed according to its signed parameters.
The skill sends a signed trading payload to an external relay. This is purpose-aligned, but the signed payload is what enables the order lifecycle.
Submit this exact relay payload to `https://agents-sink.orbs.network/orders/new`:
```json
{
"order": "<typedData.message>",
"signature": "<full signature or { r, s, v }>",
"status": "pending"
}
```Submit only orders you intentionally approved, and keep the exact typed data and signature so you can query or cancel the order if needed.
A recurring order can keep filling chunks after initial submission, rather than being a one-time action.
The skill supports recurring orders that can continue executing over time until the deadline. This persistence is disclosed and central to TWAP/DCA behavior.
chunked or TWAP = `input.amount < input.maxAmount`; recurring chunked = `epoch > 0` ... `deadline = start + 300 + chunkCount * epoch`
Use conservative max amounts and deadlines for recurring orders, and understand the cancellation flow before placing them.
Users may need extra verification that this registry package matches the intended upstream Spot/Orbs skill and contract set.
The bundled package metadata identifies a different package name/version than the registry listing. There is no installable code here, but provenance matters for a skill that hardcodes contracts and relay endpoints.
"name": "@orbs-network/spot-skill", "version": "2.5.5", "repository": { "type": "git", "url": "git+https://github.com/orbs-network/spot.git" }Verify the upstream repository, audit link, relay endpoint, and contract addresses independently before using real funds.