Scan Report
5 /100
decker
Decker AI trading platform Slack/Telegram bot integration — signals, portfolio, orders, auto-order rules, news digest, Slack/Telegram integration
Pure documentation skill (no executable code) providing a Slack/Telegram bot interface for a crypto trading platform. All credential handling (OPENCLAW_SECRET) is properly declared and used only as an HTTP header for internal API calls. No malicious indicators found.
Safe to install
Skill is safe to use as delivered. Since no code exists to audit, the trust relies entirely on Decker platform's backend security. Ensure the OPENCLAW_SECRET is stored securely and not exposed through logs.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access declared or implied |
| Network | READ | READ | ✓ Aligned | SKILL.md uses web_fetch GET calls to api.decker-ai.com only |
| Shell | NONE | NONE | — | No subprocess, Bash, or shell execution references found |
| Environment | READ | READ | ✓ Aligned | OPENCLAW_SECRET is declared in metadata.config and used in HTTP headers |
| Skill Invoke | NONE | NONE | — | No skill_invoke capability declared; references decker-hyperliquid and decker-po… |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser tool usage |
| Database | NONE | NONE | — | No database access |
13 findings
Medium External URL 外部 URL
https://decker-ai.com SKILL.md:34 Medium External URL 外部 URL
https://decker-ai.com/decker-link SKILL.md:34 Medium External URL 外部 URL
https://decker-ai.com/decker-link-telegram SKILL.md:34 Medium External URL 外部 URL
https://api.decker-ai.com SKILL.md:127 Medium External URL 外部 URL
https://decker-ai.com** SKILL.md:192 Medium External URL 外部 URL
https://decker-ai.com/decker-link** SKILL.md:192 Medium External URL 外部 URL
https://decker-ai.com/decker-link-telegram** SKILL.md:192 Medium External URL 外部 URL
https://.../order-request?slack_user_id=...&openclaw_secret=... SKILL.md:196 Medium External URL 外部 URL
https://api.decker-ai.com** SKILL.md:284 Medium External URL 外部 URL
https://api.decker-ai.com/api/v1/system/health SKILL.md:374 Medium External URL 外部 URL
https://api.decker-ai.com/api/v1/link/slack/order-request?slack_user_id= SKILL.md:422 Medium External URL 外部 URL
https://backend-production.../order-request?openclaw_secret=... SKILL.md:509 Medium External URL 外部 URL
https://api.decker-ai.com/api/v1/link/slack/order-request?slack_user_id=...&openclaw_secret=... SKILL.md:521 File Tree
4 files · 40.7 KB · 725 lines Markdown 4f · 725L
├─
▾
references
│ ├─
API_QUICK.md
Markdown
│ └─
QUESTIONS_LIST.md
Markdown
├─
SKILL.md
Markdown
└─
USER_GUIDE.md
Markdown
Security Positives
✓ No executable code: entire skill is Markdown documentation, eliminating runtime execution risk
✓ OPENCLAW_SECRET credential properly declared in metadata.config with secret:true
✓ Documentation explicitly forbids exposing API URLs, backend URLs, or secrets to users
✓ web_fetch usage is limited to GET requests only to api.decker-ai.com (declared)
✓ No subprocess, shell execution, base64, eval, or obfuscation patterns found
✓ No sensitive path access (~/.ssh, ~/.aws, .env) or credential harvesting
✓ No remote script execution (curl|bash, wget|sh) or supply chain dependencies
✓ Clear and well-structured documentation with explicit safety rules