Is fpsjago/binance-dca-test safe?

https://github.com/openclaw/skills/tree/main/skills/fpsjago/binance-dca-test

83
SAFE

The binance-dca-test skill contains no malicious prompt injection, no data exfiltration code, and no executable scripts — making it safe from a direct attack surface perspective. However, the skill is fundamentally incomplete: it references a bash script (scripts/dca.sh) that does not exist in the repository, rendering all documented functionality inoperable. The '-test' suffix and an accidentally committed development lock.json (referencing an unrelated skill) confirm this is an immature, work-in-progress publication. When eventually completed, the skill would execute live financial transactions on Binance with minimal confirmation safeguards, warranting careful review before any production use.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Referenced scripts/dca.sh absent from repository -28

The skill's entire documented functionality depends on bash scripts/dca.sh but no scripts directory or shell scripts are present in the installed files. The skill cannot perform any DCA operations as deployed. Users may be led to obtain the missing scripts from external, unverified sources.

MEDIUM Skill incomplete — financial execution risk when scripts provided -20

The skill advertises live Binance MARKET buy order execution with no confirmation step. When/if functional, a single agent invocation could place irreversible crypto purchases. The skill's description aggressively pattern-matches on many user phrases (DCA, accumulation, recurring buys) increasing the chance of unintended activation.

LOW Cron example exposes API credentials in process arguments -12

The scheduling guidance shows API keys set as inline env vars in the cron command line (BINANCE_API_KEY=... BINANCE_SECRET_KEY=...), which makes them visible to any user who can run ps aux or read /proc. This is contrary to the skill's own 'never store credentials' guidance and could normalize bad credential handling.

LOW Development artifact lock.json committed to skill -12

The .clawhub/lock.json included in the skill lists academic-research-hub as an installed dependency — a completely unrelated skill. This indicates the skill author accidentally committed their personal OpenClaw environment state, suggesting poor development hygiene and possible confusion about what files belong in a published skill.

INFO Canary credential files accessed — attributed to platform monitoring -5

Auditd PATH records show systematic access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at two points: pre-install (1771951268.58x) and post-install (1771951287.875). The identical access pattern, timing relative to the Oathe audit lifecycle, and confirmed canary integrity all indicate this is the Oathe platform performing its own canary baseline and verification checks, not behavior triggered by the skill.

INFO openclaw-gateway AWS connections post-install -5

After installation, the openclaw-gateway process (pid=1085, a low PID indicating it was already running) established two new TCP connections to 44.214.208.192:443 (AWS EC2) and opened local listeners on ports 18790 and 18793. This appears to be the OpenClaw platform's own agent infrastructure connecting to its backend, not activity triggered by the Binance DCA skill content.