ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Decker + Hyperliquid

v1.1.0

Use when user asks about Hyperliquid DEX trading via Decker. Triggers: HL, 하이퍼리퀴드, DEX, 영구선물, HL 매수, HL 포지션, Hyperliquid 시세. Includes Safety Guidelines (posi...

0· 155·1 current·1 all-time
by@gigshow
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the expected purpose (use Decker to view prices and place Hyperliquid DEX orders). Requiring the user to link Hyperliquid API keys in Decker is consistent with trading functionality. However, the instructions reference an OPENCLAW_SECRET and JWT usage for API calls even though the skill's manifest declares no required environment variables or primary credential — that mismatch is unexplained.
!
Instruction Scope
Runtime instructions tell the agent to build a GET request to DECKER_API_URL including openclaw_secret as a query parameter (openclaw_secret={OPENCLAW_SECRET}). Putting a secret in a URL query string can leak via logs/referrers and is a risky practice. The document also instructs users to generate and paste Hyperliquid private keys (0x... private keys) into Decker settings — instructing collection/storage of highly sensitive keys. The SKILL.md mentions JWTs for some operations but doesn't explain how those tokens are obtained/managed. Overall the instructions touch and transmit secrets without specifying secure handling.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written by an install step.
!
Credentials
The skill uses OPENCLAW_SECRET in an API call but the manifest lists no required environment variables or primary credential. It also requires users to provide Hyperliquid private keys (sensitive secrets) in Decker settings, yet the skill does not declare or justify any environment/credential requirements. The presence of sensitive secrets without clear, declared handling is disproportionate and inconsistent.
Persistence & Privilege
always:false and no OS/config path requirements. The skill does not request persistent platform privileges. The only persistent effect described is instructing users to store API keys in Decker settings — that is external to this skill and not itself a platform privilege request.
What to consider before installing
This skill is coherent with its stated purpose (trading on Hyperliquid via Decker), but it references and transmits sensitive secrets in an unclear and potentially unsafe way. Before installing or using it, verify: 1) Where and how OPENCLAW_SECRET is provided and stored (why is it needed and why isn't it declared?), and avoid placing secrets in URL query strings; 2) How Decker stores Hyperliquid private keys (are they encrypted, is there an audit/log, is withdrawal disabled as claimed?), and prefer API-only wallets with no withdrawal permission; 3) How JWTs are obtained and refreshed and whether any tokens are sent to third parties; 4) That the decker skill this extends is official/trusted. If you cannot confirm secure handling of secrets and storage practices, do not enable this skill or avoid using it for accounts holding substantial funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pn60kz2jtmaws9sway3zzd8322qb
155downloads
0stars
1versions
Updated 3h ago
v1.1.0
MIT-0
@gigshow
latest
Download

Decker + Hyperliquid (DEX) 스킬

Goal

Decker를 통해 Hyperliquid DEX에서 시세 조회·주문 실행. 메인 decker 스킬을 확장.

Quick Reference

사용자 말액션비고
"HL BTC 0.01 매수해줘", "Hyperliquid에서 이더 매수"order-request exchange_id=hyperliquid승인 플로우
"HL 시세", "Hyperliquid BTC 가격"Assistant API 또는 시세 조회
"HL 포지션", "Hyperliquid 포지션"Assistant APIJWT 필요

DECKER_API_URL

https://api.decker-ai.com

주문 (Hyperliquid)

order-request에 exchange_id=hyperliquid 추가:

GET {DECKER_API_URL}/api/v1/link/slack/order-request?slack_user_id={sender_id}&symbol=BTC&side=buy&quantity=0.01&exchange_id=hyperliquid&openclaw_secret={OPENCLAW_SECRET}
  • exchange_id=hyperliquid 필수 (Hyperliquid DEX 실행)
  • symbol: BTC, ETH 등 (USDT 선물 자동)
  • quantity: 계약 수량

전제 조건

  • Decker 가입 + Slack 연동
  • user_settings.exchange_preference = hyperliquid 또는 order 시 exchange_id 지정
  • Hyperliquid 키 연동 (Decker 설정 → 거래소 API 설정)

Hyperliquid 키 설정 (에이전트 안내용)

  1. API 전용 지갑 생성: https://app.hyperliquid.xyz/API 접속 → "Create API Wallet"
  2. 개인키 백업: 생성 시 표시되는 개인키(0x로 시작)를 안전하게 저장 (한 번만 표시)
  3. Decker 설정: 로그인 → 설정 → 거래소 API 설정 → Hyperliquid
    • API Key: 지갑 주소(0x..., 42자) — 선택
    • Secret Key: 개인키(0x..., 64자 이상) — 필수
  4. 거래소 선택: exchange_preference를 "Hyperliquid"로 설정 후 저장
  5. 주문: "HL BTC 0.01 매수해줘" (Slack/Telegram)

⚠️ API Wallet은 출금 불가, 거래 전용. 메인 지갑과 분리 권장.

Safety Guidelines (ClawHub hyperliquid-trading 흡수)

주문 실행 전:

  1. 사용자에게 거래 파라미터 확인 (코인, 수량, 방향, 가격)
  2. 현재 시세·기존 포지션을 함께 표시
  3. 예상 비용/수익 계산 후 안내

Position sizing:

  • 계정 자산의 20% 초과 주문 시 경고
  • 잔고 기준 적정 수량 제안

가격·슬리피지:

  • Limit 주문 시 지정가와 현재가 비교
  • 지정가가 시장가 대비 5% 이상 이탈 시 오타 가능성 경고
  • 시장가 주문 시 슬리피지(5% 등) 안내

Error Handling

  • "Address required" / "Private key required" → Decker 설정에서 Hyperliquid 키 연동 확인
  • "Unknown coin" → BTC, ETH 등 지원 심볼 확인
  • 네트워크 오류 → API 상태·연결 확인
  • 자동 재시도 금지 — 실패 시 사용자 확인 후 재요청

참고

  • 메인 decker 스킬: docs/openclaw_skills/decker/SKILL.md
  • Hyperliquid: 탈중앙 영구선물 DEX

Comments

Loading comments...