OpenClaw Binance
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill mostly matches Binance monitoring, but it asks for high-impact Binance API secrets without clearly limiting or declaring their permissions and includes unsupported trust claims.
Only use this skill if you can provide a tightly restricted read-only Binance API key with trading and withdrawals disabled, keep config.json private, and verify the publisher/source yourself. The code shown appears to fetch market data, generate a local report, and optionally send a Feishu alert; it does not show trading actions, but its credential scope and trust claims need review before installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may place a high-privilege Binance key in the skill even though the shown code does not need trading authority, increasing account risk if the config, dependencies, or runtime are compromised.
The program loads a Binance API key and secret, but the visible Binance operation is a market-data call. The artifacts do not document read-only scope, trading/withdrawal restrictions, or a credential contract for these financial-account secrets.
client = Client(CONFIG["API_KEY"], CONFIG["SECRET_KEY"]) ... klines = client.get_klines(symbol=symbol, interval='1h', limit=24)
Use only a restricted read-only Binance API key with trading and withdrawals disabled, store it securely, and require the skill metadata/docs to declare the credential and its minimum permissions.
Users may underestimate the risk of supplying Binance API secrets because the documentation asserts that the skill is already tested and reliable.
The skill makes an approval/reliability claim that is not substantiated by the provided artifacts and could encourage users to trust it before adding financial credentials.
> 🚀 本技能已通过OpenClaw测试,稳定可靠!
Treat the approval claim as unverified; review the code, source, dependencies, and credential scope independently before installation.
Risk alert text will be sent to the configured Feishu destination.
The skill can send alert messages to a user-configured Feishu webhook. This is disclosed and purpose-aligned, but it is still an outbound data flow.
response = requests.post(CONFIG["FEISHU_WEBHOOK_URL"], headers=headers, json=data, timeout=10)
Use only a trusted webhook URL and verify that alert contents are appropriate for that channel.
Users have less reliable information for confirming the skill's source, maintenance, and security posture.
The documentation link is a placeholder, which weakens provenance verification for a skill that asks users to configure financial exchange credentials.
"documentation": "https://github.com/your-repo/binance-quant-trading"
Verify the publisher/source out of band and prefer a real repository, changelog, and dependency review before using it with Binance credentials.