Binance-Hunter
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is related to its stated Binance trading purpose, but it asks for powerful trading credentials and documents raw commands that can place leveraged market orders without clear safety guardrails.
Review carefully before installing or using. Only use a dedicated Binance API key with withdrawals disabled, the narrowest permissions possible, and IP restrictions if available. Do not allow automated order placement without explicit confirmation, and treat the market-analysis output as advisory rather than a proven risk-management system.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a trading-enabled Binance key, the agent or user could place leveraged trades that may quickly cause financial loss.
The skill documents raw signed Binance API calls that can open futures market positions and change leverage. These are purpose-aligned for trading, but they are high-impact financial actions and the artifact does not specify approval gates, maximum loss limits, testnet mode, or other containment.
### Open LONG Position (Buy) ... type=MARKET ... curl -s -X POST "https://fapi.binance.com/fapi/v1/order?..." ... ### Change Leverage ... LEVERAGE="10" # 1 to 125
Require explicit user confirmation before every account-mutating call, prefer Binance testnet for practice, set strict position-size/leverage limits, and avoid giving the agent unrestricted trading authority.
Over-scoped or mishandled Binance keys could expose balances and positions or allow unwanted trades on the user's account.
The skill asks for persistent Binance API credentials. The artifacts do not clearly restrict the key to read-only access, trading-only access, IP allowlisting, withdrawal-disabled permissions, or a platform-managed secret boundary.
Save to `~/.openclaw/credentials/binance.json`:
{
"apiKey": "YOUR_API_KEY",
"secretKey": "YOUR_SECRET_KEY"
}Use a dedicated restricted API key, disable withdrawals, enable IP restrictions where possible, prefer read-only keys for analysis, and store secrets only in a trusted secret manager.
A user may believe the skill has stronger automated risk controls than the supplied artifacts demonstrate.
This risk-control claim is material for leveraged trading, but the provided analyzer code only returns symbol, price, trend, action, and RSI; it does not show ATR-based stop-loss or take-profit calculation. Users could over-trust advertised safety features.
🛡️ **Auto-Risk:** Smart SL/TP calculation based on Volatility (ATR)
Treat the output as informational only unless ATR-based stop-loss/take-profit logic is actually implemented, reviewed, and used with explicit user approval.
If the user manually installs these dependencies, future compatible versions may differ from what was originally tested.
The package lists third-party dependencies with non-exact version ranges. There is no install spec showing automatic installation, so this is a provenance note rather than a direct execution concern.
"dependencies": {
"ccxt": "^4.0.0",
"pandas": "^2.0.0",
"ta": "^0.10.0"
}Pin exact dependency versions and use a reviewed lockfile or trusted package source before running the analyzer.