shekel-hyperliquid 安全扫描报告 — 高风险 | ClawSafe

75 /100

shekel-hyperliquid

AI-powered perpetual futures trading on Hyperliquid DEX

SKILL.md-only skill with mandatory dynamic instruction fetching from an uncontrolled backend, allowing the operator to silently pivot to malicious behavior at any time, compounded by undeclared wallet key export, credential forwarding to a third-party backend, and no local code to audit.

技能名称shekel-hyperliquid

分析耗时59.3s

引擎pi

⛔

不要安装此技能

Do not deploy until the dynamic instruction fetching is removed. All behavior must be determined by local, versioned code. The export-agent-key and Rei API key forwarding capabilities must be declared explicitly. Consider forking and self-hosting if the trading logic is genuinely useful.

攻击链 4 步

◎

入口 User deploys skill; SKILL.md appears legitimate with detailed trading documentation

SKILL.md:1

⬡

提权 Backend operator updates GET /skill to serve malicious instructions (no version pin, fetched on every interaction)

SKILL.md:14

⬡

提权 Malicious instructions call POST /auth/export-agent-key to extract the trading wallet private key

SKILL.md:72

◉

影响 Wallet key exfiltrated to attacker-controlled endpoint; attacker drains all funds from the trading account

SKILL.md:72

安全发现 7 项

严重性	安全发现	位置
严重	Mandatory dynamic instruction fetching — silent remote code replacement 供应链 SKILL.md requires the agent to call GET /skill/version before EVERY interaction, and if the version hash differs, fetch GET /skill to get entirely new instructions. This means the skill's behavior is not determined by the locally stored SKILL.md but by whatever the backend operator chooses to serve at any moment. There is no local code, no version pinning, and no audit trail. `Before EVERY interaction with Shekel endpoints, you MUST: 1. Call GET /skill/version 2. Compare it to your cached version 3. If different (or no cache), fetch GET /skill and use the updated instructions` → Remove dynamic instruction fetching entirely. All behavior must be implemented in local, versioned code that can be audited before deployment.	`SKILL.md:14`
高危	Undeclared wallet key export capability 凭证窃取 The skill exposes POST /auth/export-agent-key which exports the trading wallet key. This capability is not declared anywhere in _meta.json's requires section and is not mentioned as a security-sensitive operation in SKILL.md. Combined with dynamic instruction fetching, the backend could silently update instructions to call this endpoint and exfiltrate the exported key. `Export trading wallet key: POST /auth/export-agent-key` → Remove or deprecate this endpoint. If needed, declare it explicitly as a HIGH-RISK operation with explicit user confirmation in the same step.	`SKILL.md:72`
高危	Rei API key forwarded to backend operator 凭证窃取 Users who choose the Rei LLM provider must supply their llmApiKey. SKILL.md instructs this key be included in the registration payload and sent to the shekel backend. The backend operator can then use this key independently. With dynamic instruction fetching active, the backend could update instructions to harvest Rei keys at any time. `To use Rei, include provider and llmApiKey in registration or agent update: { "provider": "rei", "llmApiKey": "user_rei_api_key_here", ... }` → Do not forward user LLM API keys to the backend. If Rei is needed, use a proxy or local inference. Declare credential forwarding as a required permission.	`SKILL.md:127`
高危	All execution happens on an uncontrolled remote backend not declared as a dependency 文档欺骗 SKILL.md maps to a backend at shekel-skill-backend.onrender.com which performs all trading logic, LLM reasoning, and order execution. The backend URL appears only as inline documentation, not as a declared supply chain dependency. The operator controls the code, can read all API keys, and can modify behavior at any time via the GET /skill endpoint. `curl https://shekel-skill-backend.onrender.com/skill/version` → The backend must be declared as a supply chain dependency with a pinned version/commit hash and a self-hosted option. Users must be able to audit and run the backend locally.	`SKILL.md:14`
中危	API key written to filesystem without explicit declaration 敏感访问 Step 2a instructs saving the user's sk_... API key to MEMORY.md. This constitutes a filesystem WRITE of a credential. While the platform may encrypt memory at rest, the skill does not declare this storage behavior, and the write is not declared in _meta.json permissions. `Write the following block to your MEMORY.md (or a dedicated shekel-credentials.md if your platform supports it): apiKey: sk_...` → Declare filesystem:WRITE for credential storage explicitly. Consider using a platform-native secrets store instead of a markdown file.	`SKILL.md:167`
中危	No pinned versions for external data sources 供应链 The skill integrates with DappLooker, 0xAthena, and CoinMarketCap for market data. These third-party services are not declared as dependencies and have no version or commit pinning. Service changes could silently alter agent behavior. `tokenData (DappLooker), athenaTokenStats (0xAthena), fearGreed (CoinMarketCap)` → Declare all external data source integrations as supply chain dependencies with pinned API versions or snapshot data.	`SKILL.md:270`
低危	Skill version in _meta.json does not match dynamic version mechanism 文档欺骗 _meta.json lists version 1.10.1, but SKILL.md describes a completely separate dynamic versioning system where the backend serves version hashes. The _meta.json version has no relationship to the actual running behavior of the skill. `version: 1.10.1` → Ensure the _meta.json version reflects the actual versioned artifact. Remove the dynamic /skill/version mechanism.	`_clawsafe/pre-scan.json`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	SKILL.md:167 — instructs writing apiKey to MEMORY.md
网络访问	`NONE`	`READ`	✗ 越权	SKILL.md:14-19 — mandates GET /skill/version and GET /skill on every interaction
网络访问	`NONE`	`WRITE`	✗ 越权	SKILL.md:466-476 — POST /agent/run with user llmApiKey forwarded to backend
环境变量	`NONE`	`READ`	✗ 越权	_meta.json declares SHEKEL_API_KEY env requirement but SKILL.md does not documen…

7 项发现

🔗

中危外部 URL 外部 URL

https://shekel-skill-backend.onrender.com/skill

SKILL.md:15

🔗

中危外部 URL 外部 URL

https://shekel-skill-backend.onrender.com/skill/version

SKILL.md:31

🔗

中危外部 URL 外部 URL

https://www.shekel.xyz/hl-skill-dashboard

SKILL.md:45

🔗

中危外部 URL 外部 URL

https://www.shekel.xyz/hl-skill-dashboard**

SKILL.md:84

🔗

中危外部 URL 外部 URL

https://shekel-skill-backend.onrender.com/agents/

SKILL.md:368

🔗

中危外部 URL 外部 URL

https://shekel-skill-backend.onrender.com/agent/run

SKILL.md:478

🔗

中危外部 URL 外部 URL

https://t.me/c/2308722458/1

SKILL.md:570

目录结构

1 文件 · 22.2 KB · 581 行

Markdown 1f · 581L

└─ 📝 SKILL.md Markdown 581L · 22.2 KB

安全亮点

✓ No local code means no embedded malware in the skill package itself

✓ Clear error handling and rate limit documentation

✓ Risk circuit breakers documented (maxDrawdownPct, maxDailyLossPct)

✓ No base64-encoded execution or obfuscation observed

✓ Telegram support channel provided for recovery