安全决策报告

shekel-hyperliquid

Name: shekel-hyperliquid 可信度判断报告
Item: shekel-hyperliquid
Rating: 25
Author: ClawSafe

SKILL.md-only skill with mandatory dynamic instruction fetching from an uncontrolled backend, allowing the operator to silently pivot to malicious behavior at any time, compounded by undeclared wallet key export, credential forwarding to a third-party backend, and no local code to audit.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 1

IOC 7

越权项 4

发现 7

最直接的威胁证据

严重供应链

Mandatory dynamic instruction fetching — silent remote code replacement

SKILL.md requires the agent to call GET /skill/version before EVERY interaction, and if the version hash differs, fetch GET /skill to get entirely new instructions. This means the skill's behavior is not determined by the locally stored SKILL.md but by whatever the backend operator chooses to serve at any moment. There is no local code, no version pinning, and no audit trail.

SKILL.md:14

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 4 项声明之外的能力或越权行为。

复核

隐藏执行与外联

提取到 7 个一般风险产物，需要结合上下文判断。

阻止

攻击链与高危发现

报告包含 4 步攻击链，另有 4 项高危或严重发现。

复核

依赖与供应链卫生

没有完整依赖信息，供应链判断需要保留弹性。

攻击链

User deploys skill; SKILL.md appears legitimate with detailed trading documentation

初始入口 · SKILL.md:1

Backend operator updates GET /skill to serve malicious instructions (no version pin, fetched on every interaction)

supply_chain · SKILL.md:14

Malicious instructions call POST /auth/export-agent-key to extract the trading wallet private key

权限提升 · SKILL.md:72

Wallet key exfiltrated to attacker-controlled endpoint; attacker drains all funds from the trading account

最终危害 · SKILL.md:72

风险分是怎么被拉高的

Mandatory dynamic instruction fetching +25

SKILL.md mandates fetching GET /skill on every interaction, allowing the backend to silently replace all instructions with malicious code at any time — no local audit trail, no version lock

Undeclared wallet key export capability +20

POST /auth/export-agent-key exports the trading wallet key; this is not declared in _meta.json requires/permissions and could be triggered by a backend instruction update

All execution on uncontrolled remote backend +15

No local scripts exist; the entire agent execution, LLM reasoning, and order placement happens on shekel-skill-backend.onrender.com — operator has full access to all credentials and trading logic

Rei API key forwarded to backend +10

llmApiKey provided by the user is sent to the backend; combined with dynamic fetching, the backend could update instructions to harvest these keys

API key written to MEMORY.md unencrypted +5

Step 2a instructs writing the user's sk_... API key to memory; while marked 'encrypted at rest by OpenClaw', the skill has no declaration of this storage behavior

最关键的证据

严重供应链

Mandatory dynamic instruction fetching — silent remote code replacement

SKILL.md:14

Remove dynamic instruction fetching entirely. All behavior must be implemented in local, versioned code that can be audited before deployment.

高危凭证窃取

Undeclared wallet key export capability

The skill exposes POST /auth/export-agent-key which exports the trading wallet key. This capability is not declared anywhere in _meta.json's requires section and is not mentioned as a security-sensitive operation in SKILL.md. Combined with dynamic instruction fetching, the backend could silently update instructions to call this endpoint and exfiltrate the exported key.

SKILL.md:72

Remove or deprecate this endpoint. If needed, declare it explicitly as a HIGH-RISK operation with explicit user confirmation in the same step.

高危凭证窃取

Rei API key forwarded to backend operator

Users who choose the Rei LLM provider must supply their llmApiKey. SKILL.md instructs this key be included in the registration payload and sent to the shekel backend. The backend operator can then use this key independently. With dynamic instruction fetching active, the backend could update instructions to harvest Rei keys at any time.

SKILL.md:127

Do not forward user LLM API keys to the backend. If Rei is needed, use a proxy or local inference. Declare credential forwarding as a required permission.

高危文档欺骗

All execution happens on an uncontrolled remote backend not declared as a dependency

SKILL.md maps to a backend at shekel-skill-backend.onrender.com which performs all trading logic, LLM reasoning, and order execution. The backend URL appears only as inline documentation, not as a declared supply chain dependency. The operator controls the code, can read all API keys, and can modify behavior at any time via the GET /skill endpoint.

SKILL.md:14

The backend must be declared as a supply chain dependency with a pinned version/commit hash and a self-hosted option. Users must be able to audit and run the backend locally.

中危敏感访问

API key written to filesystem without explicit declaration

Step 2a instructs saving the user's sk_... API key to MEMORY.md. This constitutes a filesystem WRITE of a credential. While the platform may encrypt memory at rest, the skill does not declare this storage behavior, and the write is not declared in _meta.json permissions.

SKILL.md:167

Declare filesystem:WRITE for credential storage explicitly. Consider using a platform-native secrets store instead of a markdown file.

中危供应链

No pinned versions for external data sources

The skill integrates with DappLooker, 0xAthena, and CoinMarketCap for market data. These third-party services are not declared as dependencies and have no version or commit pinning. Service changes could silently alter agent behavior.

SKILL.md:270

Declare all external data source integrations as supply chain dependencies with pinned API versions or snapshot data.

低危文档欺骗

Skill version in _meta.json does not match dynamic version mechanism

_meta.json lists version 1.10.1, but SKILL.md describes a completely separate dynamic versioning system where the backend serves version hashes. The _meta.json version has no relationship to the actual running behavior of the skill.

_clawsafe/pre-scan.json

Ensure the _meta.json version reflects the actual versioned artifact. Remove the dynamic /skill/version mechanism.

声明能力 vs 实际能力

文件系统 阻止

声明 NONE

→

推断 WRITE

SKILL.md:167 — instructs writing apiKey to MEMORY.md

网络访问 阻止

声明 NONE

→

推断 READ

SKILL.md:14-19 — mandates GET /skill/version and GET /skill on every interaction

网络访问 阻止

声明 NONE

→

推断 WRITE

SKILL.md:466-476 — POST /agent/run with user llmApiKey forwarded to backend

环境变量 阻止

声明 NONE

→

推断 READ

_meta.json declares SHEKEL_API_KEY env requirement but SKILL.md does not document this as a declared capability

可疑产物与外联

中危外部 URL

https://shekel-skill-backend.onrender.com/skill

SKILL.md:15

中危外部 URL

https://shekel-skill-backend.onrender.com/skill/version

SKILL.md:31

中危外部 URL

https://www.shekel.xyz/hl-skill-dashboard

SKILL.md:45

中危外部 URL

https://www.shekel.xyz/hl-skill-dashboard**

SKILL.md:84

中危外部 URL

https://shekel-skill-backend.onrender.com/agents/

SKILL.md:368

中危外部 URL

https://shekel-skill-backend.onrender.com/agent/run

SKILL.md:478

中危外部 URL

https://t.me/c/2308722458/1

SKILL.md:570

依赖与供应链

没有结构化依赖告警。

文件构成

1 个文件 · 581 行

Markdown 1 个文件 · 581 行

需关注文件 · 1

SKILL.md Markdown · 581 行

Mandatory dynamic instruction fetching — silent remote code replacement · Undeclared wallet key export capability · Rei API key forwarded to backend operator · All execution happens on an uncontrolled remote backend not declared as a dependency · API key written to filesystem without explicit declaration · No pinned versions for external data sources · https://shekel-skill-backend.onrender.com/skill · https://shekel-skill-backend.onrender.com/skill/version · https://www.shekel.xyz/hl-skill-dashboard · https://www.shekel.xyz/hl-skill-dashboard** · https://shekel-skill-backend.onrender.com/agents/ · https://shekel-skill-backend.onrender.com/agent/run · https://t.me/c/2308722458/1

安全亮点

No local code means no embedded malware in the skill package itself

Clear error handling and rate limit documentation

Risk circuit breakers documented (maxDrawdownPct, maxDailyLossPct)

No base64-encoded execution or obfuscation observed

Telegram support channel provided for recovery