ClawHub

Binance Coach

Security checks across malware telemetry and agentic risk

Overview

Binance Coach is mostly a real portfolio-coaching skill, but it handles sensitive financial data and adds optional persistent/external data flows that deserve manual review before installation.

Install only if you are comfortable giving the skill read-only Binance API access and storing portfolio/trade data locally. Use Binance keys with read-only permissions and IP restrictions where possible. Treat Claude/Anthropic and Telegram modes as external sharing of financial context, not local-only processing. Decline the USER.md default-handler hook and scheduled crons unless you specifically want persistent crypto routing and recurring Telegram reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and implies capabilities to read environment secrets, write local files, access the network, and run shell-based installation/setup actions, yet no explicit permissions are declared in the manifest. This creates a transparency and consent problem: users and the platform may invoke a skill with more power than its metadata communicates, increasing the chance of unsafe execution paths involving secrets, filesystem changes, or external code/dependency fetches.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is a Binance coaching assistant, but the behavior includes modifying OpenClaw configuration, writing memory/journal files, creating cron jobs, self-updating from remote sources, installing dependencies, and handling local databases/exports. This mismatch is dangerous because users may consent to portfolio analysis while unintentionally authorizing persistent system changes, remote code ingestion, secret handling, and scheduled background execution outside the expected scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The guide instructs the agent to persistently register BinanceCoach as the default handler for ANY crypto-related question by editing a user-wide profile file. That exceeds the stated coaching role and creates cross-session behavior modification, which can steer future requests toward this skill without fresh user intent and expand its influence beyond the current task.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The guide includes self-update/install instructions that are not part of the user-facing coaching functionality and cause the agent to fetch and replace code. Even if intended for maintenance, this broadens the skill's operational scope and introduces supply-chain and unexpected code-change risk if invoked in normal use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Directing the agent to edit a global USER.md file to influence future sessions is a persistence mechanism unrelated to answering the current request. This can silently alter assistant behavior across contexts, creating lasting preference hijack and making later sessions follow this skill by default even when unnecessary.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The wrapper includes a self-update path that fetches new skill files and reinstalls Python dependencies from external sources, which materially exceeds a portfolio-coaching wrapper's expected local-execution role. This expands the trust boundary to ClaWHub/GitHub/PyPI and creates a supply-chain and self-modification risk if any upstream source or dependency is compromised.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script creates and deletes OpenClaw cron jobs, which is an environment-management capability not inherent to crypto coaching and grants the skill persistence and scheduling control. Even though the feature is user-invoked, it can alter the host's automated task state and establish recurring behavior outside the immediate session.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads Telegram credentials from a local .env file and automatically sends derived portfolio health and trading advice to Telegram. That is an external data flow of sensitive financial information, and the file itself provides no explicit consent, disclosure, or gating beyond the presence of a token, so users may unknowingly exfiltrate portfolio data off-host.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The message states that a snapshot was saved to coach.db, but this script does not persist anything. Misrepresenting local persistence can mislead users and operators during audits or incident response, causing them to believe data is stored locally when it may only have been transmitted externally.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The header comment claims 'No internet required' even though the script explicitly installs packages from PyPI and performs a live Binance connectivity check. This is deceptive setup behavior that can mislead users about network access and trust boundaries during installation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script modifies OpenClaw USER.md to register itself as the default handler for any crypto-related question, expanding its authority beyond a one-time setup into persistent behavioral control. Even though consent is requested, the inserted instruction is overly broad and can bias future sessions in ways the user may not fully understand.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script offers to create scheduled OpenClaw jobs that automatically run analysis and send outputs to Telegram, which introduces ongoing autonomous behavior and data egress beyond normal user-invoked coaching. This increases risk because portfolio analysis may be transmitted regularly without the user appreciating the persistence and sensitivity of the output.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The import-orders command pulls and stores a user's full Binance order history locally, which is materially broader and more sensitive than simple market coaching. In a skill advertised primarily as coaching and analytics, silently enabling archival of detailed trade history increases privacy risk and creates a larger local data exposure surface if the host or database is later compromised.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The message says 'Your data never leaves your machine,' yet the command necessarily sends requests to Binance to fetch order history. That statement is misleading and can cause users to consent under a false privacy expectation, especially in a financial context involving sensitive trading records.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation description is broad enough to match generic crypto-related requests such as market data, education, alerts, news, and 'ask anything about their Binance portfolio,' which can cause over-triggering. Overbroad routing is risky here because this skill appears able to access account-linked data, write files, and initiate setup/watcher behavior, so accidental invocation could expose data or perform side effects in contexts where the user did not intend to use this specific skill.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The quick-start phrase 'analyze my portfolio' is a common utterance that could appear in many financial contexts, making accidental activation likely. In a skill that may access Binance credentials, modify local configuration, or initiate background functionality, such a generic trigger expands the chance of unintended sensitive operations or disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The command reference explicitly states that `ask` always includes the user's full portfolio, holdings, behavioral analysis, and Fear & Greed context when sending prompts to Claude. That means sensitive financial and behavioral data is disclosed to a third-party AI provider by default, without any explicit user warning, consent flow, or data-minimization control in the documented interface. In a crypto portfolio coaching skill, this context is especially sensitive because it can reveal net worth, positions, trading habits, and emotional decision patterns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function posts portfolio analysis content to the Telegram Bot API without any user-facing warning in the script. Because this skill handles crypto portfolio and behavioral coaching data, undisclosed transmission increases privacy risk and can expose sensitive financial context to third-party infrastructure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends account-derived portfolio analytics to Telegram, a third-party service, without any in-script consent gate, disclosure prompt, or data-minimization control. In a crypto portfolio coaching skill, this is more sensitive than generic telemetry because balances, health scores, and market-timing advice reveal financial holdings and behavior that could expose the user to privacy loss or targeting if misrouted or compromised.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The injected USER.md text says to always use this skill for ANY crypto-related question and to never do manual lookups when BinanceCoach can handle it. Such broad natural-language routing can hijack future agent behavior and suppress normal verification or safer alternative tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The /ask flow sends the user's freeform question together with portfolio, market, and behavioral data to an external AI service. In a finance context this can disclose sensitive holdings, trading patterns, and potentially identifying behavioral information to a third party without an explicit just-in-time notice or consent, creating a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The coaching summary transmits portfolio health, market context, and behavioral analysis to an external AI provider without a specific user-facing disclosure at the point of use. Because this skill operates on crypto portfolio data, the sensitivity is higher than generic chatbot usage: the data can reveal asset composition, account value patterns, and trading behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The weekly coaching path sends account-derived portfolio, market, behavior, and DCA recommendation data to an external AI service without explicit disclosure. This is dangerous because repeated automated summaries can continuously export sensitive financial context, increasing privacy exposure and compliance risk over time.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The ask path assembles portfolio balances, allocations, behavior metrics, fear/greed state, and coin-specific context, then sends it to an external AI model without an explicit user-facing warning at that call site. In a crypto portfolio assistant, this can expose sensitive financial holdings and behavioral profiling data to a third-party provider beyond what users may reasonably expect from a local command.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends detailed portfolio, market, and behavioral data to Anthropic for AI responses, but this file shows no consent gate, warning, minimization, or privacy control before that transfer. In a finance-focused skill, this can expose sensitive trading positions and behavioral signals to a third-party provider, creating privacy, compliance, and user-trust risk even if the provider is legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal