Binance Official Spot

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Binance Spot API purpose, but it asks agents to handle live financial credentials and trading actions with unsafe credential storage and ambiguous live-account defaults.

Install only if you are comfortable giving an agent access to Binance Spot data and possible trading actions. Use testnet first, use least-privilege keys with withdrawals disabled and IP restrictions, avoid storing secrets in TOOLS.md or chat files, and require explicit account and action confirmation before any live order or cancellation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill expands from making Binance Spot API requests into persistent credential management by instructing storage of API keys and secrets in a local `TOOLS.md` file. Persisting exchange credentials in a general documentation/config file materially increases the chance of accidental disclosure through source control, logs, backups, or later tool access, and is not necessary for the stated API-request purpose.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The skill documents listing stored account inventory and even references unrelated account categories such as `futures-keys`, which broadens visibility into sensitive account metadata beyond the spot-trading use case. Even when keys are masked, exposing account names, environments, and the existence of additional exchange accounts can aid reconnaissance and encourage overbroad secret handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes many authenticated and destructive endpoints, including order placement, cancellation, and bulk cancellation, but provides only a narrow confirmation rule for mainnet transactions rather than a broader safety model for all sensitive actions. In an agent setting, insufficient warnings and guardrails around high-impact actions can lead to accidental financial loss, unintended order execution, or account changes from ambiguous prompts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill tells users to provide API credentials by sending a file containing the raw API key and secret, but does not warn against plaintext transmission, retention, or reuse risk. This directly encourages insecure secret handling and creates multiple exposure paths in chat history, attachments, logs, local storage, and downstream processing.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Defaulting to the `main` account when account selection is ambiguous is unsafe because it biases execution toward the highest-risk environment, likely mainnet, without explicit user intent. In a trading skill, ambiguity resolution that silently selects a real account can cause unintended live orders, cancellations, or account data exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal