Is binance-pro safe?
https://clawhub.ai/skill/binance-pro
This skill is a Binance trading integration that provides ready-to-execute shell commands for placing real trades on production endpoints, including leveraged futures up to 125x. While it contains no hidden malicious code, obfuscated payloads, or data exfiltration mechanisms, the combination of always-on injection (loaded in every conversation), direct access to financial credentials, and production trade execution with no sandboxing or confirmation gates creates serious risk of unintended financial loss. The embedded referral link also indicates a monetization motive.
Category Scores
Findings (10)
CRITICAL Live financial trade execution via shell commands -40 ▶
The skill provides ready-to-execute bash commands that place real market orders on Binance's production API. There is no confirmation gate, no testnet default, and no dry-run mode. A single curl POST can open a 125x leveraged futures position, potentially risking the user's entire account balance.
HIGH Credential exposure through shell environment and file reading -45 ▶
The skill instructs the agent to read Binance API keys and secret keys from ~/.openclaw/credentials/binance.json or environment variables. These credentials grant full trading access. The secret key is used in shell variable expansion, which means it appears in process listings, shell history, and potentially in agent conversation logs that may be stored or transmitted.
HIGH Always-on injection via metadata flag -25 ▶
The skill metadata sets 'always:true', meaning it is loaded into the agent's context for every single conversation, even when the user has no intention of trading. This dramatically increases the attack surface for misinterpretation — any mention of trading, buying, selling, or crypto terminology could trigger the agent to execute financial operations.
HIGH Catastrophic financial loss from ambiguous commands -50 ▶
The combination of always-on injection, production API endpoints, and high-leverage templates creates a scenario where normal conversation could be misinterpreted as trade instructions. A user discussing market analysis could inadvertently trigger real trades. The 125x leverage examples mean a 0.8% adverse price move would liquidate the entire position.
MEDIUM Embedded referral/affiliate link -10 ▶
The skill embeds a referral link for Binance account creation (ref=CPA_00F3AR52CL), which generates affiliate revenue for the skill author. The agent may present this to users as an authoritative recommendation without disclosing the financial incentive.
MEDIUM Full account data accessible via API queries -20 ▶
The skill provides commands to query complete account balances, all open positions, and full trade history. This data could be exposed in agent logs, conversation history, or through interaction with other skills.
MEDIUM Behavioral directives without clear boundaries -10 ▶
The safety rules use imperative language (ALWAYS, NEVER) that functions as behavioral programming for the agent, but defines vague thresholds. 'CONFIRM with user before executing large orders' has no defined size limit, leaving the agent to decide what requires confirmation.
LOW Silent error suppression in curl commands -10 ▶
All curl commands use the -s (silent) flag, which suppresses error messages and progress output. If a trade fails or an API returns an error, the agent may not recognize the failure and could retry or proceed incorrectly.
INFO Clean installation with no suspicious behavior 0 ▶
The skill installed without any unexpected network connections, process spawning, or filesystem modifications outside its directory. The only external connection was to the clawhub.ai registry for download.
INFO No credential honeypot access 0 ▶
None of the canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) were accessed or modified during installation.