Safety Report

Binance-Hunter

Name: Binance-Hunter
Rating: 3 (6 reviews)
Author: TetrAVAD

The Hunter: Professional Binance Trading Skill. Features AI market analysis, auto-risk calculation, and 125x leverage support.

1,876Downloads

6Installs

6Stars

1Versions

Search & Retrieval2,116 Customer Support1,744 Networking & DNS1,102 Math & Science439

Security Analysis

high confidence

Suspicious0.04 risk

The skill's files and instructions partly match a trading analyzer, but there are multiple inconsistencies and an elevated privilege setting (always:true) combined with instructions that can place real trades — review carefully before enabling.

Feb 11, 20264 files5 concerns

Purpose & Capabilityconcern

The skill claims to be a Binance trading/analysis tool and includes a Python analyzer script that legitimately fetches market data. However package.json lists Python libraries (pandas, ta) as npm dependencies (misplaced), and the registry metadata declares no required credentials while SKILL.md instructs users to store API keys (file ~/.openclaw/credentials/binance.json) or set env vars. Required binaries list omits openssl even though the provided curl examples use openssl to HMAC-sign requests. These mismatches are disproportionate or inconsistent with a cleanly packaged analyzer.

Instruction Scopeconcern

SKILL.md includes many cURL examples that perform authenticated account queries and place/cancel orders (spot and futures). Those examples require API keys and secrets and direct the user to store credentials on disk or in env vars. The analyzer script itself only does read-only market fetches, but the instructions explicitly show how to execute trades — meaning the skill can be used to place real trades if keys are provided. The SKILL.md also uses inconsistent variable names (suggests BINANCE_API_KEY / BINANCE_SECRET but cURL examples use API_KEY / SECRET), increasing the risk of misconfiguration.

Install Mechanismnote

There is no install spec (instruction-only plus a Python script), which reduces install risk. However package.json is present and claims dependencies that are Python packages — this is a packaging inconsistency (npm vs pip). No archives or external downloads are defined, so install risk is low but the dependency packaging is incoherent and may confuse users or automated installers.

Credentialsconcern

The registry metadata lists no required env vars or credential as primary, but the SKILL.md instructs storing Binance API key/secret in a credentials file or as env vars. That discrepancy means the skill requests sensitive secrets in practice but doesn't declare them. Also openssl and variable-name mismatches (BINANCE_API_KEY vs API_KEY) are present. The amount and sensitivity of the credentials (Binance API key + secret) are significant for a skill that declares no credentials.

Persistence & Privilegeconcern

The skill is marked always:true, meaning it will be force-included in every agent run. Combined with SKILL.md instructions that demonstrate how to execute authenticated trades, this increases the blast radius: an always-enabled skill that can be used to place orders (if credentials are present) is a meaningful privilege. The skill does not declare credentials up front, which makes this configuration more suspicious.

Guidance

This skill mixes a benign market-analysis script with explicit, copy-paste examples for placing authenticated Binance orders. Before installing or enabling it (especially because it's flagged always:true): - Treat the cURL examples as sensitive: they require your Binance API key and secret. Only provide keys with minimal privileges (prefer testnet or read-only keys) and avoid using keys that allow irreversible trading/withdrawals. - The package.json is inconsistent (lists Python libs in an npm manifest). Confirm how dependencies are actually installed (pip) and manually inspect/install required Python packages (ccxt, pandas, ta). Do not run any install scripts you don't understand. - The SKILL.md omits openssl from required binaries but uses it in signing commands — ensure required tools are present and correct variable names are used (the README mixes BINANCE_API_KEY/BINANCE_SECRET and API_KEY/SECRET). - Because always:true forces the skill into every agent run, consider disabling that or requiring manual invocation until you can confirm it will not autonomously execute trades. If you must use it, run with a Binance testnet API key or a key restricted to read-only market data. - If you need to proceed: ask the publisher for a clear install guide, confirm where credentials are read from, and request that the skill declare required env vars and minimize privileges. If the source/publisher is unknown (homepage: none), prefer not enabling always:true and avoid providing high-privilege keys.

Latest Release

v1.0.0

Initial release: Professional Binance trading skill with automated analysis, risk calculation, and leveraged trading. - Provides real-time market analysis using "The Hunter" algorithm. - Automates risk management with smart stop-loss and take-profit settings based on market volatility. - Supports leverage up to 125x for futures trading. - Includes comprehensive command set for spot and futures trading with example API calls. - Offers fee discount via referral and credential setup instructions. - Adds safety guidelines and useful Binance resources for users.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @TetrAVAD on ClawHub