Skill Trust Decision
shekel-hyperliquid
SKILL.md-only skill with mandatory dynamic instruction fetching from an uncontrolled backend, allowing the operator to silently pivot to malicious behavior at any time, compounded by undeclared wallet key export, credential forwarding to a third-party backend, and no local code to audit.
Most direct threat evidence
Critical Supply Chain
Mandatory dynamic instruction fetching — silent remote code replacement SKILL.md requires the agent to call GET /skill/version before EVERY interaction, and if the version hash differs, fetch GET /skill to get entirely new instructions. This means the skill's behavior is not determined by the locally stored SKILL.md but by whatever the backend operator chooses to serve at any moment. There is no local code, no version pinning, and no audit trail.
SKILL.md:14 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
7 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User deploys skill; SKILL.md appears legitimate with detailed trading documentation
Entry · SKILL.md:1
02
Backend operator updates GET /skill to serve malicious instructions (no version pin, fetched on every interaction)
supply_chain · SKILL.md:14
03
Malicious instructions call POST /auth/export-agent-key to extract the trading wallet private key
Escalation · SKILL.md:72
04
Wallet key exfiltrated to attacker-controlled endpoint; attacker drains all funds from the trading account
Impact · SKILL.md:72
What drove the risk score up
Mandatory dynamic instruction fetching +25
SKILL.md mandates fetching GET /skill on every interaction, allowing the backend to silently replace all instructions with malicious code at any time — no local audit trail, no version lock
Undeclared wallet key export capability +20
POST /auth/export-agent-key exports the trading wallet key; this is not declared in _meta.json requires/permissions and could be triggered by a backend instruction update
All execution on uncontrolled remote backend +15
No local scripts exist; the entire agent execution, LLM reasoning, and order placement happens on shekel-skill-backend.onrender.com — operator has full access to all credentials and trading logic
Rei API key forwarded to backend +10
llmApiKey provided by the user is sent to the backend; combined with dynamic fetching, the backend could update instructions to harvest these keys
API key written to MEMORY.md unencrypted +5
Step 2a instructs writing the user's sk_... API key to memory; while marked 'encrypted at rest by OpenClaw', the skill has no declaration of this storage behavior
Most important evidence
Critical Supply Chain
Mandatory dynamic instruction fetching — silent remote code replacement
SKILL.md requires the agent to call GET /skill/version before EVERY interaction, and if the version hash differs, fetch GET /skill to get entirely new instructions. This means the skill's behavior is not determined by the locally stored SKILL.md but by whatever the backend operator chooses to serve at any moment. There is no local code, no version pinning, and no audit trail.
SKILL.md:14 Remove dynamic instruction fetching entirely. All behavior must be implemented in local, versioned code that can be audited before deployment.
High Credential Theft
Undeclared wallet key export capability
The skill exposes POST /auth/export-agent-key which exports the trading wallet key. This capability is not declared anywhere in _meta.json's requires section and is not mentioned as a security-sensitive operation in SKILL.md. Combined with dynamic instruction fetching, the backend could silently update instructions to call this endpoint and exfiltrate the exported key.
SKILL.md:72 Remove or deprecate this endpoint. If needed, declare it explicitly as a HIGH-RISK operation with explicit user confirmation in the same step.
High Credential Theft
Rei API key forwarded to backend operator
Users who choose the Rei LLM provider must supply their llmApiKey. SKILL.md instructs this key be included in the registration payload and sent to the shekel backend. The backend operator can then use this key independently. With dynamic instruction fetching active, the backend could update instructions to harvest Rei keys at any time.
SKILL.md:127 Do not forward user LLM API keys to the backend. If Rei is needed, use a proxy or local inference. Declare credential forwarding as a required permission.
High Doc Mismatch
All execution happens on an uncontrolled remote backend not declared as a dependency
SKILL.md maps to a backend at shekel-skill-backend.onrender.com which performs all trading logic, LLM reasoning, and order execution. The backend URL appears only as inline documentation, not as a declared supply chain dependency. The operator controls the code, can read all API keys, and can modify behavior at any time via the GET /skill endpoint.
SKILL.md:14 The backend must be declared as a supply chain dependency with a pinned version/commit hash and a self-hosted option. Users must be able to audit and run the backend locally.
Medium Sensitive Access
API key written to filesystem without explicit declaration
Step 2a instructs saving the user's sk_... API key to MEMORY.md. This constitutes a filesystem WRITE of a credential. While the platform may encrypt memory at rest, the skill does not declare this storage behavior, and the write is not declared in _meta.json permissions.
SKILL.md:167 Declare filesystem:WRITE for credential storage explicitly. Consider using a platform-native secrets store instead of a markdown file.
Medium Supply Chain
No pinned versions for external data sources
The skill integrates with DappLooker, 0xAthena, and CoinMarketCap for market data. These third-party services are not declared as dependencies and have no version or commit pinning. Service changes could silently alter agent behavior.
SKILL.md:270 Declare all external data source integrations as supply chain dependencies with pinned API versions or snapshot data.
Low Doc Mismatch
Skill version in _meta.json does not match dynamic version mechanism
_meta.json lists version 1.10.1, but SKILL.md describes a completely separate dynamic versioning system where the backend serves version hashes. The _meta.json version has no relationship to the actual running behavior of the skill.
_clawsafe/pre-scan.json Ensure the _meta.json version reflects the actual versioned artifact. Remove the dynamic /skill/version mechanism.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md:167 — instructs writing apiKey to MEMORY.md Network Block
Declared NONE
→ Inferred READ
SKILL.md:14-19 — mandates GET /skill/version and GET /skill on every interaction Network Block
Declared NONE
→ Inferred WRITE
SKILL.md:466-476 — POST /agent/run with user llmApiKey forwarded to backend Environment Block
Declared NONE
→ Inferred READ
_meta.json declares SHEKEL_API_KEY env requirement but SKILL.md does not document this as a declared capability Suspicious artifacts and egress
Medium External URL
https://shekel-skill-backend.onrender.com/skill SKILL.md:15
Medium External URL
https://shekel-skill-backend.onrender.com/skill/version SKILL.md:31
Medium External URL
https://www.shekel.xyz/hl-skill-dashboard SKILL.md:45
Medium External URL
https://www.shekel.xyz/hl-skill-dashboard** SKILL.md:84
Medium External URL
https://shekel-skill-backend.onrender.com/agents/ SKILL.md:368
Medium External URL
https://shekel-skill-backend.onrender.com/agent/run SKILL.md:478
Medium External URL
https://t.me/c/2308722458/1 SKILL.md:570
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 581 lines
Markdown 1 files · 581 lines
Files of concern · 1
SKILL.md Mandatory dynamic instruction fetching — silent remote code replacement · Undeclared wallet key export capability · Rei API key forwarded to backend operator · All execution happens on an uncontrolled remote backend not declared as a dependency · API key written to filesystem without explicit declaration · No pinned versions for external data sources · https://shekel-skill-backend.onrender.com/skill · https://shekel-skill-backend.onrender.com/skill/version · https://www.shekel.xyz/hl-skill-dashboard · https://www.shekel.xyz/hl-skill-dashboard** · https://shekel-skill-backend.onrender.com/agents/ · https://shekel-skill-backend.onrender.com/agent/run · https://t.me/c/2308722458/1
Security positives
No local code means no embedded malware in the skill package itself
Clear error handling and rate limit documentation
Risk circuit breakers documented (maxDrawdownPct, maxDailyLossPct)
No base64-encoded execution or obfuscation observed
Telegram support channel provided for recovery