ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Binance Exchange

v1.0.0

Fetch real-time prices, 24h stats, K-line charts, and market info for Binance spot trading pairs using the Binance API via proxy.

0· 106·1 current·1 all-time
bymoer@torchesfrms
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts implement public Binance REST queries (prices, klines, 24h stats) which matches the skill description. However, the skill metadata declares no required binaries while the scripts clearly require curl, jq and bc (and rely on a proxy). Declaring those binaries would be expected for this purpose.
!
Instruction Scope
SKILL.md and the scripts instruct network calls to https://api.binance.com only (expected). Concerns: SKILL.md references ./scripts/search.sh in examples but no search.sh file is present; token-info.sh claims "no proxy needed" while SKILL.md states a proxy is required and other scripts hard-code a local proxy (-x http://127.0.0.1:1082). These inconsistencies could cause surprising failures or indicate sloppy packaging.
Install Mechanism
No install spec and no remote downloads — the skill is instruction + local scripts only. No extracted archives or off-site install URLs were found, which is low risk from an installation perspective.
Credentials
No credentials or secret environment variables are requested (good). The skill asks users to set HTTP_PROXY/HTTPS_PROXY to a local proxy; that is plausible for region-restricted API access but requires the user to provide/trust the proxy. token-info.sh reads HTTP_PROXY optionally but does not consistently use it.
Persistence & Privilege
The skill does not request persistent presence, does not alter other skills, and does not claim elevated privileges. always is false and there is no install step that modifies system or agent configuration.
What to consider before installing
This skill appears to do what it says (query Binance public endpoints) but I recommend the following before using or installing it: 1) Verify dependencies: install and trust curl, jq, and bc — the scripts need them but the metadata doesn't declare them. 2) Check the missing script: SKILL.md references scripts/search.sh which isn't included; ask the author or remove references. 3) Resolve proxy inconsistencies: decide whether a proxy is required; if you must use a proxy, only use one you trust (running a local proxy can route traffic through third parties). 4) Review scripts locally before execution — they make outbound HTTPS requests to api.binance.com and do not exfiltrate other data, but always run untrusted scripts in an isolated environment. 5) If you need stronger assurance, request an updated package from the author that declares dependencies and fixes the documentation mismatches.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a25y88d2zsah7c7r9y483h839mg9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments