中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 75/100
Last scan:22 hr ago Rescan
75 /100
shekel-hyperliquid
AI-powered perpetual futures trading on Hyperliquid DEX
SKILL.md-only skill with mandatory dynamic instruction fetching from an uncontrolled backend, allowing the operator to silently pivot to malicious behavior at any time, compounded by undeclared wallet key export, credential forwarding to a third-party backend, and no local code to audit.
Skill Nameshekel-hyperliquid
Duration59.3s
Enginepi
Do not install this skill
Do not deploy until the dynamic instruction fetching is removed. All behavior must be determined by local, versioned code. The export-agent-key and Rei API key forwarding capabilities must be declared explicitly. Consider forking and self-hosting if the trading logic is genuinely useful.

Attack Chain 4 steps

Entry User deploys skill; SKILL.md appears legitimate with detailed trading documentation
SKILL.md:1
Escalation Backend operator updates GET /skill to serve malicious instructions (no version pin, fetched on every interaction)
SKILL.md:14
Escalation Malicious instructions call POST /auth/export-agent-key to extract the trading wallet private key
SKILL.md:72
Impact Wallet key exfiltrated to attacker-controlled endpoint; attacker drains all funds from the trading account
SKILL.md:72

Findings 7 items

Severity Finding Location
Critical
Mandatory dynamic instruction fetching — silent remote code replacement Supply Chain
SKILL.md requires the agent to call GET /skill/version before EVERY interaction, and if the version hash differs, fetch GET /skill to get entirely new instructions. This means the skill's behavior is not determined by the locally stored SKILL.md but by whatever the backend operator chooses to serve at any moment. There is no local code, no version pinning, and no audit trail.
Before EVERY interaction with Shekel endpoints, you MUST: 1. Call GET /skill/version 2. Compare it to your cached version 3. If different (or no cache), fetch GET /skill and use the updated instructions
→ Remove dynamic instruction fetching entirely. All behavior must be implemented in local, versioned code that can be audited before deployment.
 SKILL.md:14
High
Undeclared wallet key export capability Credential Theft
The skill exposes POST /auth/export-agent-key which exports the trading wallet key. This capability is not declared anywhere in _meta.json's requires section and is not mentioned as a security-sensitive operation in SKILL.md. Combined with dynamic instruction fetching, the backend could silently update instructions to call this endpoint and exfiltrate the exported key.
Export trading wallet key: POST /auth/export-agent-key
→ Remove or deprecate this endpoint. If needed, declare it explicitly as a HIGH-RISK operation with explicit user confirmation in the same step.
 SKILL.md:72
High
Rei API key forwarded to backend operator Credential Theft
Users who choose the Rei LLM provider must supply their llmApiKey. SKILL.md instructs this key be included in the registration payload and sent to the shekel backend. The backend operator can then use this key independently. With dynamic instruction fetching active, the backend could update instructions to harvest Rei keys at any time.
To use Rei, include provider and llmApiKey in registration or agent update: { "provider": "rei", "llmApiKey": "user_rei_api_key_here", ... }
→ Do not forward user LLM API keys to the backend. If Rei is needed, use a proxy or local inference. Declare credential forwarding as a required permission.
 SKILL.md:127
High
All execution happens on an uncontrolled remote backend not declared as a dependency Doc Mismatch
SKILL.md maps to a backend at shekel-skill-backend.onrender.com which performs all trading logic, LLM reasoning, and order execution. The backend URL appears only as inline documentation, not as a declared supply chain dependency. The operator controls the code, can read all API keys, and can modify behavior at any time via the GET /skill endpoint.
curl https://shekel-skill-backend.onrender.com/skill/version
→ The backend must be declared as a supply chain dependency with a pinned version/commit hash and a self-hosted option. Users must be able to audit and run the backend locally.
 SKILL.md:14
Medium
API key written to filesystem without explicit declaration Sensitive Access
Step 2a instructs saving the user's sk_... API key to MEMORY.md. This constitutes a filesystem WRITE of a credential. While the platform may encrypt memory at rest, the skill does not declare this storage behavior, and the write is not declared in _meta.json permissions.
Write the following block to your MEMORY.md (or a dedicated shekel-credentials.md if your platform supports it): apiKey: sk_...
→ Declare filesystem:WRITE for credential storage explicitly. Consider using a platform-native secrets store instead of a markdown file.
 SKILL.md:167
Medium
No pinned versions for external data sources Supply Chain
The skill integrates with DappLooker, 0xAthena, and CoinMarketCap for market data. These third-party services are not declared as dependencies and have no version or commit pinning. Service changes could silently alter agent behavior.
tokenData (DappLooker), athenaTokenStats (0xAthena), fearGreed (CoinMarketCap)
→ Declare all external data source integrations as supply chain dependencies with pinned API versions or snapshot data.
 SKILL.md:270
Low
Skill version in _meta.json does not match dynamic version mechanism Doc Mismatch
_meta.json lists version 1.10.1, but SKILL.md describes a completely separate dynamic versioning system where the backend serves version hashes. The _meta.json version has no relationship to the actual running behavior of the skill.
version: 1.10.1
→ Ensure the _meta.json version reflects the actual versioned artifact. Remove the dynamic /skill/version mechanism.
 _clawsafe/pre-scan.json
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✗ Violation SKILL.md:167 — instructs writing apiKey to MEMORY.md
Network NONE READ ✗ Violation SKILL.md:14-19 — mandates GET /skill/version and GET /skill on every interaction
Network NONE WRITE ✗ Violation SKILL.md:466-476 — POST /agent/run with user llmApiKey forwarded to backend
Environment NONE READ ✗ Violation _meta.json declares SHEKEL_API_KEY env requirement but SKILL.md does not documen…
7 findings
🔗
Medium External URL 外部 URL
https://shekel-skill-backend.onrender.com/skill
SKILL.md:15
🔗
Medium External URL 外部 URL
https://shekel-skill-backend.onrender.com/skill/version
SKILL.md:31
🔗
Medium External URL 外部 URL
https://www.shekel.xyz/hl-skill-dashboard
SKILL.md:45
🔗
Medium External URL 外部 URL
https://www.shekel.xyz/hl-skill-dashboard**
SKILL.md:84
🔗
Medium External URL 外部 URL
https://shekel-skill-backend.onrender.com/agents/
SKILL.md:368
🔗
Medium External URL 外部 URL
https://shekel-skill-backend.onrender.com/agent/run
SKILL.md:478
🔗
Medium External URL 外部 URL
https://t.me/c/2308722458/1
SKILL.md:570

File Tree

1 files · 22.2 KB · 581 lines
Markdown 1f · 581L
└─ 📝 SKILL.md Markdown 581L · 22.2 KB

Security Positives

✓ No local code means no embedded malware in the skill package itself
✓ Clear error handling and rate limit documentation
✓ Risk circuit breakers documented (maxDrawdownPct, maxDailyLossPct)
✓ No base64-encoded execution or obfuscation observed
✓ Telegram support channel provided for recovery