Binance ICT Structure Recognizer 安全扫描报告 — 低风险 | ClawSafe

10 /100

Binance ICT Structure Recognizer

ICT market structure analysis tool for Binance BTC/ETH 1H event contract signals, identifying Order Blocks, FVGs, liquidity sweeps, and inducement patterns.

This is a pure-documentation skill (SKILL.md only) with no executable code, scripts, or dependencies. No malicious behavior, credential access, shell execution, or obfuscation is present.

技能名称Binance ICT Structure Recognizer

分析耗时34.5s

引擎pi

✓

可以安装

No immediate action required. However, since this skill contains only documentation with no implementation files, verify that a corresponding implementation skill exists before use, and that the referenced 'binance-event-contract-data-fetcher' skill is trustworthy.

安全发现 3 项

严重性	安全发现	位置
低危	No allowed-tools declaration 文档欺骗 SKILL.md does not declare any allowed-tools mapping. While this is not malicious given the absence of code, it makes it impossible to audit the intended capability surface. `No allowed-tools section present in SKILL.md` → Add an allowed-tools section to clearly declare which tools (Bash, Read, Write, WebFetch) the skill will use and at what permission level.	`SKILL.md:1`
低危	Unverifiable installation command 文档欺骗 The installation command references 'npx clawhub@latest' which does not appear to be a standard or verifiable package. The actual script executed during installation cannot be audited. `npx clawhub@latest install binance-event-contract-ict-recognizer --dir /workspace/skills` → Replace with a verifiable installation method or provide the package source for audit.	`SKILL.md:79`
提示	Pure specification with no implementation 文档欺骗 This skill package contains only SKILL.md (documentation/spec) with no implementation scripts, code files, or dependencies. The actual behavior cannot be evaluated until an implementation is provided. `All content is documentation describing intended behavior; no executable code present` → Ensure the implementation skill is audited separately before deployment.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No code present; capability cannot be inferred from SKILL.md alone
网络访问	`NONE`	`NONE`	—	SKILL.md references data from 'binance-event-contract-data-fetcher' skill but no…
命令执行	`NONE`	`NONE`	—	No shell commands or subprocess calls present
环境变量	`NONE`	`NONE`	—	No environment variable access found
技能调用	`NONE`	`NONE`	—	SKILL.md references 'binance-event-contract-data-fetcher' skill as dependency bu…
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser access found
数据库	`NONE`	`NONE`	—	No database access found

目录结构

1 文件 · 3.6 KB · 86 行

Markdown 1f · 86L

└─ 📝 SKILL.md Markdown 86L · 3.6 KB

安全亮点

✓ No executable code, scripts, or binaries present — no direct attack surface

✓ No credential harvesting, environment variable access, or sensitive path traversal

✓ No obfuscation techniques (base64, eval, atob) or anti-analysis patterns

✓ No network calls or data exfiltration mechanisms

✓ No supply chain risk (no dependencies or package files)

✓ Clear boundary definitions stating the skill must NOT issue trading signals

✓ Data dependency is scoped to a single named skill source