Binance Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a real Binance trading integration, but it asks for powerful trading credentials and provides direct commands for leveraged trades without clear safety limits or confirmation requirements.
Review carefully before installing. Do not give this skill withdrawal permission. If you use it, create a dedicated Binance API key with the minimum permissions, IP restrictions, and small test limits; require explicit confirmation before every trade or leverage change.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with valid credentials, the agent could place or cancel trades and change leveraged positions, potentially causing major financial loss.
The artifact directly enables high-impact signed Binance API operations, including leveraged futures market orders, without explicit confirmation, amount limits, or bounded workflows.
“Trade spot, futures with up to 125x leverage ... open/close positions ... and any Binance operation” and `curl -s -X POST "https://fapi.binance.com/fapi/v1/order?..."`
Only use with explicit per-trade confirmation, strict amount and symbol limits, Binance testnet where possible, and narrowly scoped API keys.
A Binance API secret with trading permissions can control account actions; storing it locally without clear scoping or protection increases the consequence of accidental or unauthorized use.
The skill asks for persistent high-impact Binance credentials while the registry metadata declares no primary credential or required environment variables, and the artifact does not bound the API-key permissions.
Save to `~/.openclaw/credentials/binance.json`: `{ "apiKey": "YOUR_API_KEY", "secretKey": "YOUR_SECRET_KEY" }`Use a Binance API key limited to the minimum required permissions, avoid withdrawal permission, enable IP restrictions, protect the credential file, and prefer read-only keys unless trading is explicitly needed.
The skill may fail or behave inconsistently on systems without openssl available.
The examples depend on `openssl` for request signing, but the declared requirements list only `curl` and `jq`, making the runtime dependency contract incomplete.
`SIGNATURE=$(echo -n "$QUERY" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)`
Declare openssl as a required binary or provide a supported signing method with clear setup instructions.