ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Web3

v1.0.0

Query token prices, market data, K-line charts, and smart money trading signals via Binance Web3 APIs. Use when users search tokens, check prices, view marke...

0· 172·1 current·1 all-time
bymoer@torchesfrms
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts: all scripts perform token search, market data, k-line, address, and smart-money queries. The functionality requested by the skill is coherent with its stated purpose.
!
Instruction Scope
The SKILL.md and scripts instruct the agent to execute shell scripts that perform network requests to external endpoints (primarily web3.binance.com and also dquery.sintral.io). The scripts do not read user files or secrets, but they do rely on shell execution and network access. One script uses the HTTP_PROXY environment variable implicitly, which is not declared in the metadata — that means the skill will respect a proxy if present and could route traffic through a user-configured proxy.
Install Mechanism
There is no install spec (instruction-only plus shipped scripts). Nothing is downloaded or extracted by an installer, so the install mechanism itself is low-risk.
!
Credentials
The skill declares no required environment variables or credentials, which matches that no API keys are needed. However, the scripts implicitly read HTTP_PROXY (and rely on curl and jq binaries) but those requirements are not declared in the metadata. The scripts therefore assume network access and presence of command-line tools without declaring them; this discrepancy is a proportionality/visibility issue.
Persistence & Privilege
The skill does not request permanent/always-on presence or modify other skills or system settings. It runs on demand and has no special platform privileges.
What to consider before installing
This skill appears to be a thin wrapper around curl calls to Binance Web3 endpoints and a third-party k-line endpoint (dquery.sintral.io). Before installing: 1) Verify you are comfortable with the skill making outbound HTTP requests from your environment. 2) Confirm the third-party domain (dquery.sintral.io) is acceptable for your use — it is not the same host as web3.binance.com. 3) Ensure curl and jq are available on the agent runtime; the skill does not declare these requirements. 4) Be cautious about any HTTP_PROXY you set — the scripts will use it if present and could route requests through that proxy. 5) If you need stronger assurance, run the scripts in a sandboxed environment, inspect network traffic, or reach out to the skill author for clarification about the non-Binance endpoint and why required binaries/env vars were not declared.

Like a lobster shell, security has layers — review code before you run it.

latestvk971cz70t1m53fxj83bre7sngd838kb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments