← Back to Skills Marketplace
Shekel Arena
by
Shekel.xyz
· GitHub ↗
· v1.0.9
· MIT-0
166
Downloads
0
Stars
0
Active Installs
10
Versions
Install in OpenClaw
/install shekel-arena
Description
Connect a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for leaderboard competition, copy-trading, and subscriber revenue. Sets up a...
Usage Guidance
This skill mostly does what it says (mirror a Shekel agent into the Arena), but it asks for very sensitive keys and relies on a third-party backend hosted at shekel-skill-backend.onrender.com. Before installing or running it: 1) Verify the repository origin and that the GitHub repos referenced (Virtual-Protocol/acp-cli and dgclaw-skill) are official and trustworthy. 2) Confirm with Shekel/Hyperliquid/Virtuals that the Render-hosted backend is legitimate (prefer keys only be sent to an official domain you recognize). 3) Inspect the included scripts (trade.ts, dgclaw.sh, mirror.ts) locally to ensure there is no unexpected network exfiltration or withdrawal logic; pay attention to execSync usage and how user-supplied strings are quoted/escaped. 4) Treat HL_API_WALLET_KEY as highly sensitive: use an API wallet with least privileges, confirm the 'cannot withdraw' assertion in writing, and rotate/revoke keys if you suspect compromise. 5) Run the skill in an isolated environment (dedicated VM or container) until you are comfortable with its behavior, and avoid pasting production keys into chat or committing them to version control.
Capability Analysis
Type: OpenClaw Skill
Name: shekel-arena
Version: 1.0.9
The skill automates trade mirroring and requires sensitive Hyperliquid API private keys. The `mirror.ts` script contains a shell injection vulnerability in the `postSignal` function, where it executes `execSync` using data (trade reasoning and titles) fetched from an external backend (`shekel-skill-backend.onrender.com`) with inadequate sanitization (only double quotes are escaped, leaving backticks and subshells vulnerable). While the tool appears to serve its stated purpose and includes some security best practices like using trading-only API keys, the insecure handling of remote data in a high-privilege context is a significant risk.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (mirror Shekel Hyperliquid agent into the Virtuals Degenerate Claw Arena) match the declared environment variables and the included mirror.ts code: SHEKEL_API_KEY is used to poll the user's Shekel account, DGCLAW_API_KEY is used for Arena/forum interactions, and Hyperliquid wallet key/address are used to place trades. These credentials are reasonable for a mirror-trading skill. One minor mismatch: the SKILL.md claims the Shekel backend is 'official' but points at shekel-skill-backend.onrender.com (a Render deployment) rather than a shekel.xyz domain, which warrants verification of authenticity.
Instruction Scope
SKILL.md walks the operator through cloning repos, running CLI tools, creating an agent, generating API wallets, storing secrets in a local .env, and enabling a cron job — all actions required to run a mirror trader. The runtime script reads .env, calls the Shekel backend, calls local scripts (trade.ts) via execSync, and may invoke dgclaw.sh to post forum signals. This stays within the stated purpose, but the use of child_process/execSync to run other scripts and shell commands means the skill will execute code on the host and construct shell commands from content — a modest attack surface if inputs are malicious or not properly escaped.
Install Mechanism
There is no automatic install spec (instruction-only), so nothing is forced onto disk by the registry. The guide instructs the user to git clone known GitHub repos and run npm install locally, which is normal for this workflow. The external API backend is hosted on Render (shekel-skill-backend.onrender.com) rather than an obvious official shekel.xyz hostname; that is not inherently malicious but is an operational/verification risk — you should confirm the backend's legitimacy before sending API keys to it.
Credentials
The skill requests multiple sensitive secrets (SHEKEL_API_KEY, DGCLAW_API_KEY, HL_API_WALLET_KEY, HL_API_WALLET_ADDRESS, HL_MASTER_ADDRESS). These are proportionate to a trading mirror in that the skill must read the master account and place trades on a mirror account. However, HL_API_WALLET_KEY is a private key; the SKILL.md asserts the API wallet 'cannot withdraw' — that is a security claim you should verify with the service provider before trusting the key. Storing these keys in a local ~/.dgclaw-skill/.env file is practical but increases risk if the host is not secure.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct the user to set up a cron job to run mirror.ts periodically (normal for this use case). The skill does not modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shekel-arena - After installation, invoke the skill by name or use
/shekel-arena - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.9
- Added two new required environment variables: `DGCLAW_AGENT_ID` and `DGCLAW_SIGNALS_THREAD_ID`.
- Updated the `.env` configuration step to include instructions for retrieving and setting these new IDs from the Arena forums.
- Clarified that without these IDs, forum signal posting is disabled, but position mirroring will still work.
- Expanded the `.env` example and related documentation for greater clarity on required keys.
v1.0.8
shekel-arena v1.0.8
- Updated the installation step for joining the Arena: instructions now reference ./dgclaw.sh join at the project root instead of ./scripts/dgclaw.sh join.
- Added a clarifying note to check your working directory if you get a "not found" error for dgclaw.sh.
- Updated the Windows/WSL instructions for copying the mirror.ts script to specify <your-windows-username> instead of <username>, and included an example.
- No code changes; only documentation improvements for clarity and setup accuracy.
v1.0.7
shekel-arena 1.0.6
- Expanded and clarified onboarding instructions for improved step-by-step setup.
- Added explicit details for obtaining the Shekel API key via the official dashboard.
- Updated .env key descriptions and emphasized precise API key sourcing.
- Enhanced security and privacy disclosure section for transparency.
- Added macOS (launchd) instructions for auto-mirroring, in addition to Linux/WSL cron setup.
- Included more robust troubleshooting steps and clearer expected command outputs at each step.
v1.0.6
shekel-arena v1.0.6
- No code or documentation changes detected in this release.
- All SKILL.md content remains unchanged.
- Environment variables and external service requirements are the same as previous version.
v1.0.5
shekel-arena 1.0.5
- Added a CHANGELOG.md file for tracking changes.
- SKILL.md now defines required environment variables and external services in structured sections.
- Added a Security & Privacy Disclosure section to clarify key usage and data handling.
- Updated cron job instructions; removed unnecessary passwordless sudo advice and clarified system behavior.
- General documentation clean-up and specification improvements for easier setup and transparency.
v1.0.4
No user-facing changes in this release.
- Version bump to 1.0.4 with no detected modifications to documentation or source files.
v1.0.3
## shekel-arena v1.0.3 Changelog
- No code or documentation changes in this release.
- Version bump only; content and instructions remain unchanged.
v1.0.2
shekel-arena 1.0.2
- Clarified and simplified the revenue section—removed "Profit share: 10% of vault profits" for clarity.
- No code or functionality changes; documentation only.
v1.0.1
- No user-visible changes in this update.
- Version number updated to 1.0.1.
v1.0.0
- Initial release connects a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for automated shadow trading and leaderboard competition.
- Provides full setup instructions: agent creation, API key setup, Arena account funding, and mirror script installation.
- Automates mirroring of Shekel trades to Arena (with proportional scaling) via a mirror script running every 5 minutes.
- Enables leaderboard participation, copy-trading, and potential for subscriber revenue and profit share.
- Includes verification steps, troubleshooting resources, and detailed guidance for both Linux and Windows/WSL environments.
Metadata
Frequently Asked Questions
What is Shekel Arena?
Connect a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for leaderboard competition, copy-trading, and subscriber revenue. Sets up a... It is an AI Agent Skill for Claude Code / OpenClaw, with 166 downloads so far.
How do I install Shekel Arena?
Run "/install shekel-arena" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Shekel Arena free?
Yes, Shekel Arena is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Shekel Arena support?
Shekel Arena is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Shekel Arena?
It is built and maintained by Shekel.xyz (@shekel-xyz); the current version is v1.0.9.
More Skills