Binance ICT Structure Recognizer Security Report — Low Risk | ClawSafe

10 /100

Binance ICT Structure Recognizer

ICT market structure analysis tool for Binance BTC/ETH 1H event contract signals, identifying Order Blocks, FVGs, liquidity sweeps, and inducement patterns.

This is a pure-documentation skill (SKILL.md only) with no executable code, scripts, or dependencies. No malicious behavior, credential access, shell execution, or obfuscation is present.

Skill NameBinance ICT Structure Recognizer

Duration34.5s

Enginepi

✓

Safe to install

No immediate action required. However, since this skill contains only documentation with no implementation files, verify that a corresponding implementation skill exists before use, and that the referenced 'binance-event-contract-data-fetcher' skill is trustworthy.

Findings 3 items

Severity	Finding	Location
Low	No allowed-tools declaration Doc Mismatch SKILL.md does not declare any allowed-tools mapping. While this is not malicious given the absence of code, it makes it impossible to audit the intended capability surface. `No allowed-tools section present in SKILL.md` → Add an allowed-tools section to clearly declare which tools (Bash, Read, Write, WebFetch) the skill will use and at what permission level.	`SKILL.md:1`
Low	Unverifiable installation command Doc Mismatch The installation command references 'npx clawhub@latest' which does not appear to be a standard or verifiable package. The actual script executed during installation cannot be audited. `npx clawhub@latest install binance-event-contract-ict-recognizer --dir /workspace/skills` → Replace with a verifiable installation method or provide the package source for audit.	`SKILL.md:79`
Info	Pure specification with no implementation Doc Mismatch This skill package contains only SKILL.md (documentation/spec) with no implementation scripts, code files, or dependencies. The actual behavior cannot be evaluated until an implementation is provided. `All content is documentation describing intended behavior; no executable code present` → Ensure the implementation skill is audited separately before deployment.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No code present; capability cannot be inferred from SKILL.md alone
Network	`NONE`	`NONE`	—	SKILL.md references data from 'binance-event-contract-data-fetcher' skill but no…
Shell	`NONE`	`NONE`	—	No shell commands or subprocess calls present
Environment	`NONE`	`NONE`	—	No environment variable access found
Skill Invoke	`NONE`	`NONE`	—	SKILL.md references 'binance-event-contract-data-fetcher' skill as dependency bu…
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`NONE`	`NONE`	—	No database access found

File Tree

1 files · 3.6 KB · 86 lines

Markdown 1f · 86L

└─ 📝 SKILL.md Markdown 86L · 3.6 KB

Security Positives

✓ No executable code, scripts, or binaries present — no direct attack surface

✓ No credential harvesting, environment variable access, or sensitive path traversal

✓ No obfuscation techniques (base64, eval, atob) or anti-analysis patterns

✓ No network calls or data exfiltration mechanisms

✓ No supply chain risk (no dependencies or package files)

✓ Clear boundary definitions stating the skill must NOT issue trading signals

✓ Data dependency is scoped to a single named skill source

Scan Report

Findings 3 items

File Tree

Security Positives