ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Trade Hunter

Binance trading skill for coin analysis, pump detection, and one-click trading via Telegram. Use when the user wants to analyze crypto coins, check market tr...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 37 · 0 current installs · 0 all-time installs
by@june-kris
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (Binance analysis + trading + Telegram) matches the code's functionality. However the manifest claims no required credentials or config paths while SKILL.md and the code require a Binance API Key and a local Ed25519 private key file (src/config.yaml uses these). requirements.txt also lists heavy packages (python-binance, ccxt, pandas, numpy, python-telegram-bot) that the included code doesn't need (the code uses its own BinanceClient and requests). These mismatches indicate sloppy or inconsistent packaging and deserve scrutiny before trusting credentials.
!
Instruction Scope
SKILL.md explicitly instructs the agent to create src/config.yaml, ask the user for a Binance API Key and a local Ed25519 private key file path, install requirements, and not to proceed without the config. The runtime code additionally auto-reads ~/.openclaw/openclaw.json and an OPENCLAW_TG_CHAT_ID env var to auto-fill Telegram settings and may call Telegram getUpdates to discover chat_id — behaviors not declared in the registry metadata or clearly called out as optional. The skill will execute real trades and spawn background processes (PID files), so the instruction scope includes sensitive local file access, network calls, and process control.
Install Mechanism
There is no formal install spec (instruction-only), which lowers installer risk. However SKILL.md tells operators to run pip install -r src/requirements.txt; the requirements file includes many large third-party packages (python-binance, ccxt, pandas, numpy, python-telegram-bot) that are not obviously required by the provided code. Installing unnecessary dependencies increases supply-chain risk and attack surface.
!
Credentials
The manifest lists no required env vars or config paths, but the code reads/writes local config (src/config.yaml), requires the user to point to a local private key file, and will try to read ~/.openclaw/openclaw.json and the environment variable OPENCLAW_TG_CHAT_ID to auto-fill Telegram credentials. Accessing another tool's config and environment without declaring it is disproportionate and exposes sensitive tokens (Telegram bot token / chat id) implicitly.
!
Persistence & Privilege
The skill does not request 'always: true' (good). It can start background services as independent processes and writes PID files under its src directory. More importantly, it attempts to read OpenClaw's user configuration (~/.openclaw/openclaw.json) to obtain Telegram bot credentials — reading other tools' token files is a cross-scope access that raises privilege concerns even if the skill does not modify other configs.
What to consider before installing
This skill will execute real Binance orders and asks you to provide a Binance API key plus the path to a local Ed25519 private key file; it will also try to auto-read ~/.openclaw/openclaw.json and an OPENCLAW_TG_CHAT_ID env var to discover a Telegram bot token/chat_id. Before installing: (1) do not supply your main account keys — use a Binance subaccount with minimal permissions (spot trade only) and limited funds; (2) consider creating a config.yaml that contains only the minimum and keep private key files in a secure, isolated location; (3) review and if necessary remove the automatic OpenClaw config auto-discovery code if you don't want the skill to read ~/.openclaw/openclaw.json; (4) inspect requirements.txt and avoid installing unnecessary packages in sensitive environments (use a virtualenv or container); (5) be aware the skill will spawn background processes and write PID files under its directory; and (6) if you need higher assurance, ask the publisher to justify the extra dependencies and to explicitly declare config paths/env vars in the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.0
Download zip
latestvk97d1jmsd4s01x3rbdsh798gh5831gfp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Binance Trade Hunter 🔥

币安交易机会捕手 — TG 直接玩币。

First-Time Setup (MANDATORY)

When this skill is first loaded or installed, IMMEDIATELY check if src/config.yaml exists in this skill's directory.

If src/config.yaml does NOT exist, you MUST stop and guide the user through setup NOW — do not wait for a command:

  1. Tell the user: "🔧 Binance Trade Hunter 安装成功!需要完成初始配置才能使用。"
  2. Copy src/config.example.yaml to src/config.yaml
  3. Ask the user for their Binance API Key and Ed25519 private key file path
    • ⚠️ Before asking, warn the user: "为了资金安全,强烈建议使用币安子账户的 API Key 操作,不要使用主账户。子账户可以在币安 App → 账户管理 → 子账户 中创建,单独设置 API 权限和资金额度,即使 Key 泄露也不会影响主账户资产。"
    • API Key must have Spot Trading permission enabled
    • Key type must be Ed25519 (not HMAC-SHA256)
  4. Ask the user: "是否需要配置独立的 Telegram 通知?如不指定,将默认使用当前对话的 TG Bot 发送通知。"
    • If user wants custom TG: ask for bot_token and chat_id, fill into config.yaml
    • If user skips (default): leave telegram section empty or remove it. The skill will auto-detect the current session's TG bot token and chat_id from OpenClaw config.
  5. Fill the values into src/config.yaml
  6. Run: pip install -r src/requirements.txt (if dependencies not installed)
  7. After setup is complete, tell the user: "✅ 配置完成!现在可以开始使用了。试试说「分析潜力币」或「查看余额」。"

Do NOT skip this step. Do NOT proceed to any command if config.yaml is missing.

Usage

All commands use this skill's directory as working dir. Replace SKILL_DIR with the resolved absolute path of this SKILL.md's parent directory.

Instant Commands

All functions return formatted text. Reply directly to user.

Analyze Top Coins — "分析潜力币" / "推荐币" / "analyze coins"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import analyze_top_coins; print(analyze_top_coins(3))"

Analyze Single Coin — "分析 XXX" / "analyze BTC" / "看看 SOL"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import analyze_coin; print(analyze_coin('BTC'))"

Replace 'BTC' with user's coin symbol.

Buy — "买 50U 的 ETH" / "buy 100U BTC"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import buy; print(buy('ETH', 50))"

Args: coin symbol, USDT amount. ⚠️ Real money trade — confirm with user before executing.

Sell All — "卖掉 BTC" / "sell all ETH"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import sell_all; print(sell_all('BTC'))"

Sell Half — "卖一半 BTC" / "sell half ETH"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import sell_half; print(sell_half('BTC'))"

Check Positions — "查看持仓" / "仓位" / "positions"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import get_positions; print(get_positions())"

Check Balance — "查看余额" / "余额" / "balance"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import get_balance; print(get_balance())"

Background Services

Long-running services. Only start when user explicitly requests.

Pump Alert (异动监控) Start: "启动异动监控" / "start pump alert"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import start_pump_alert; print(start_pump_alert())"

Stop: "停止异动监控" / "stop pump alert"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import stop_pump_alert; print(stop_pump_alert())"

Coin Push (定时推送) Start: "启动定时推送" / "start coin push"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import start_coin_push; print(start_coin_push())"

Stop: "停止定时推送" / "stop coin push"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import stop_coin_push; print(stop_coin_push())"

Service Status — "服务状态" / "service status"

cd SKILL_DIR; python -c "import sys; sys.path.insert(0,'src'); from skill_api import service_status; print(service_status())"

Dependencies

Python 3.10+ required. Install via:

cd SKILL_DIR; pip install -r src/requirements.txt

Key packages: requests, cryptography, pyyaml, websocket-client

Notes

  • All trade commands execute real orders on Binance. Confirm coin and amount before executing.
  • Background services run as independent processes. Use service_status to check.
  • On Windows, add UTF-8 wrapper if emoji output causes encoding errors: import sys,io; sys.stdout=io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')

🌊 用 AI 建设加密,和币安一起逐浪 Web3!

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…