Binance Query Token

Security checks across malware telemetry and agentic risk

Overview

This is a read-only token lookup guide that calls public market-data APIs, with minor privacy and provenance notes but no install code, credentials, persistence, or account-changing behavior.

Install if you want an agent to fetch public token information and charts. Avoid putting private portfolio strategy or unrelated sensitive details in token queries, and verify the publisher/endpoints before relying on the results for financial decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill description and usage guidance are broad enough to trigger on generic requests like searching tokens, checking prices, viewing market data, or chart analysis, without clearly constraining when this external-data skill should be invoked. Over-broad routing can cause unnecessary transmission of user-provided terms or addresses to third-party services and may lead the agent to use the skill in contexts where the user did not intend an external lookup.

Missing User Warnings

Low

Confidence: 96% confidence
Finding: The skill sends user-supplied keywords, contract addresses, and chain identifiers to external Binance and sintral.io endpoints, but the documentation does not warn that these values leave the system. This creates a privacy and transparency issue because users may not realize their search terms or addresses are being shared with third parties for processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal