Spot Skill from Binance

[markusha77]

New Skill Contribution

Skill Info

• Skill ID: spot
• Category: Blockchain
• Description: Binance Spot request guidance for market data and trading endpoints with API key authentication support for testnet and mainnet.

Checklist

• SKILL.md has valid YAML frontmatter with all required fields
• Skill ID matches the directory name
• Category is one of: productivity, development, communication, writing, research, other
• Instructions are clear and self-contained
• Instructions are under 4000 tokens
• No external URLs referenced in instructions
• Tested the skill with an AI agent and it produces good results
• Added usage examples in the frontmatter

Testing

Describe how you tested this skill:

Notes

Any additional context or notes for reviewers.

[greptile-apps]

Greptile Summary

This PR adds a new spot skill for Binance Spot API guidance, providing a comprehensive endpoint quick-reference table, parameter catalogue, and authentication instructions covering HMAC SHA256, RSA, and Ed25519 signing methods. While the scope and structure of the skill are solid, there are several correctness and security issues that should be addressed before merging.

Key findings:

• Ed25519 signing command is wrong — openssl pkeyut does not exist (should be openssl pkeyutl) and Ed25519 must not be pre-hashed with SHA-256; agents following this example will generate invalid signatures.
• /api/v3/historicalTrades authentication is mis-labelled — this endpoint requires an X-MBX-APIKEY header (API-key tier), but the table marks it as No, which will cause agents to receive 401 errors.
• Plaintext credential sharing — the skill instructs users to paste their raw API key and secret directly into chat with no field labels, creating a security risk; environment variables or a named credential store should be recommended instead.
• Duplicate parameter definitions — symbol, quantity, price, stopPrice, orderId, timestamp, and limit are each defined twice in the Common Parameters section, which is noisy and potentially confusing to agents.
• pegOffsetValue description has missing spaces — the description text is run together (Priceleveltopegthepriceto(max:100). SeePeggedOrdersInfo).
• Demo URL missing from authentication.md — SKILL.md references https://demo-api.binance.com but this environment is absent from the authentication reference's Base URLs table.
• Skill is untested — the author explicitly left the testing checklist item unchecked and the Testing section blank.

Confidence Score: 2/5

• Not safe to merge — the Ed25519 command is technically incorrect, the historicalTrades auth label is wrong, and the credential handling pattern introduces a security risk.
• Two P1 logic issues (broken Ed25519 signing and wrong authentication tier for historicalTrades) would cause real failures for agents using this skill, and the plaintext credential guidance is a security concern. The skill is also self-reported as untested.
• Both files need attention: skills/spot/references/authentication.md for the broken Ed25519 command and missing Demo URL, and skills/spot/SKILL.md for the historicalTrades auth label, duplicate parameters, credential handling, and formatting.

Important Files Changed

Filename	Overview
skills/spot/SKILL.md	Main skill file for Binance Spot API guidance. Contains a comprehensive endpoint quick-reference table and parameter catalogue, but has several issues: the /api/v3/historicalTrades endpoint authentication is mis-labelled (requires API key header but marked "No"), multiple parameters are defined twice in the Common Parameters section, the pegOffsetValue description has missing spaces, and the credential-sharing format encourages pasting secrets in plaintext into the chat.
skills/spot/references/authentication.md	Authentication reference document. The HMAC SHA256 and RSA examples are correct, but the Ed25519 example uses a non-existent openssl pkeyut subcommand and incorrectly applies openssl dgst -sha256 (Ed25519 does not use external pre-hashing). The Demo base URL present in SKILL.md is also absent from this file's Base URLs table.

Sequence Diagram

sequenceDiagram
    participant User
    participant Agent
    participant Binance

    User->>Agent: Request (e.g. Place a BUY order on testnet)
    Agent->>Agent: Load credentials from session

    alt Public endpoint - no auth required
        Agent->>Binance: GET /api/v3/exchangeInfo
        Binance-->>Agent: Exchange info JSON
    else API-key only endpoint (e.g. historicalTrades)
        Agent->>Binance: GET /api/v3/historicalTrades<br/>Header: X-MBX-APIKEY
        Binance-->>Agent: Trades JSON
    else Signed endpoint for trading and account data
        Agent->>Agent: Build query string + timestamp
        Agent->>Agent: Sign with HMAC-SHA256 or RSA or Ed25519
        Agent->>Binance: POST /api/v3/order<br/>Headers: X-MBX-APIKEY + signature param
        Binance-->>Agent: Order result JSON
    end

    Agent-->>User: Return result in JSON format

Loading

_{Last reviewed commit: "fix: remove unsuppor..."}

[greptile-apps]

Incorrect Ed25519 signing command

The Ed25519 example contains two errors:

1. openssl pkeyut is not a valid OpenSSL subcommand — the correct one is openssl pkeyutl.
2. Ed25519 handles its own internal hashing (it does not pre-hash with SHA-256), so piping through openssl dgst -sha256 -sign is incorrect and will produce a wrong/unusable signature.

The correct Ed25519 signing command is:

# Example using openssl pkeyutl for Ed25519
echo -n "symbol=BTCUSDT&side=BUY&type=MARKET&quantity=0.001&timestamp=1234567890123" | \
  openssl pkeyutl -sign -inkey private_key.pem | base64

As written, any agent following this example would produce an invalid signature and receive a -1022 Signature for this request is not valid error from Binance.

[greptile-apps]

/api/v3/historicalTrades authentication mis-labelled

The Binance API marks /api/v3/historicalTrades as API-key authenticated — callers must include the X-MBX-APIKEY header even though no HMAC signature is required. The current table lists this endpoint as No for authentication, which would cause agents to omit the key header and receive a 401 Unauthorized error. Consider adding a third tier (e.g., API-key) to distinguish between fully-unsigned public endpoints and key-only endpoints.

[greptile-apps]

Duplicate parameter entries

Several parameters are defined more than once in the Common Parameters section, which can cause confusion for the AI agent consuming this skill. The duplicates spotted are: symbol (lines 71 & 75), quantity (lines 86 & 101), price (lines 88 & 102), stopPrice (lines 91 & 104), orderId (lines 98 & 148), timestamp (lines 83 & 149), and limit (lines 82 & 150).

Remove all duplicate entries and keep only the most descriptive version of each.

[greptile-apps]

Malformed parameter description — missing spaces

The pegOffsetValue description has words run together without spaces, making it unreadable for both humans and agents:

Priceleveltopegthepriceto(max:100). SeePeggedOrdersInfo

Suggested change

	* **cancelNewClientOrderId**: Used to uniquely identify this cancel. Automatically generated by default.
	* **pegOffsetValue**: Price level to peg the price to (max: 100). See Pegged Orders Info (e.g., 1)

[greptile-apps]

Credential sharing via plaintext chat is a security risk

The skill instructs users to share their Binance API key and secret as bare plaintext lines in a file or chat message:

abc123...xyz
secret123...key

This approach has no labels to distinguish key from secret, is error-prone, and encourages users to paste live credentials directly into a chat session. The secret key in particular should never transit a chat interface unencrypted. Consider instead directing users to use environment variables (BINANCE_API_KEY / BINANCE_SECRET_KEY) or a named credentials store, and documenting that format instead.

[greptile-apps]

Demo environment missing from Base URLs table

SKILL.md references a third base URL (https://demo-api.binance.com) under the Authentication section, but authentication.md only lists Mainnet and Testnet. Agents using the demo environment would need to refer back to the main skill file for the URL.

Suggested change

	| Mainnet | https://api.binance.com |
	| Testnet | https://testnet.binance.vision |
	## Required Headers
	X-MBX-APIKEY: your_api_key
	| Environment | URL |
	|-------------|-----|
	| Mainnet | https://api.binance.com |
	| Testnet | https://testnet.binance.vision |
	| Demo | https://demo-api.binance.com |