Shekel Arena
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: shekel-arena Version: 1.0.9 The skill automates trade mirroring and requires sensitive Hyperliquid API private keys. The `mirror.ts` script contains a shell injection vulnerability in the `postSignal` function, where it executes `execSync` using data (trade reasoning and titles) fetched from an external backend (`shekel-skill-backend.onrender.com`) with inadequate sanitization (only double quotes are escaped, leaving backticks and subshells vulnerable). While the tool appears to serve its stated purpose and includes some security best practices like using trading-only API keys, the insecure handling of remote data in a high-privilege context is a significant risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or poisoned signal/reasoning string could cause local shell commands to run under the user's account, potentially exposing local files or trading secrets.
The script passes dynamic title/content and environment-derived IDs through a shell command string, escaping only double quotes. Shell metacharacters such as command substitutions can still be interpreted when forum posting is enabled.
const cmd = `bash ${__dirname}/../scripts/dgclaw.sh create-post ${ARENA_AGENT_ID} ${SIGNALS_THREAD_ID} "${title.replace(/"/g, "'")}" "${content.replace(/"/g, "'")}"`; ... execSync(cmd, { cwd: path.join(__dirname, ".."), encoding: "utf8", timeout: 15000 });Do not enable forum posting until this is fixed. Replace execSync shell strings with execFile/spawn using argument arrays, strictly validate IDs, and treat signal text as data only.
The skill can trade with the funded Arena account, so mistakes or automation failures can lose funds even if withdrawals are not possible.
The skill needs a private trading key and API credentials to place and close trades. This is disclosed and purpose-aligned, but it is still high-impact delegated authority.
`HL_API_WALLET_KEY`: "Hyperliquid API wallet private key... Trading-only — cannot withdraw funds."
Use a dedicated trading-only wallet, fund only the amount you are willing to risk, keep the .env file private, and rotate keys if exposed.
Trades can continue every few minutes without per-trade approval until the cron job or script is disabled.
The skill intentionally creates persistent automated trading behavior. It is disclosed, but users need to understand it continues after setup.
Sets up an ACP Arena agent that shadow-trades the user's Shekel agent automatically via a mirror script and cron job.
Only install if you want continuous automated copy-trading, and document how to stop or remove the cron job before enabling it.
Upstream repository or dependency changes could affect the code that handles wallet setup and trading.
The setup uses external repositories and package installs without pinned commits in the instructions. This is expected for the integration, but it affects code provenance.
git clone https://github.com/Virtual-Protocol/acp-cli.git ~/acp-cli ... npm install ... git clone https://github.com/Virtual-Protocol/dgclaw-skill.git ~/dgclaw-skill ... npm install
Review the cloned repositories, prefer pinned commits or releases, and avoid running updated code with trading keys without checking changes.