← 返回 Skills 市场
Shekel Arena
作者
Shekel.xyz
· GitHub ↗
· v1.0.9
· MIT-0
166
总下载
0
收藏
0
当前安装
10
版本数
在 OpenClaw 中安装
/install shekel-arena
功能描述
Connect a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for leaderboard competition, copy-trading, and subscriber revenue. Sets up a...
安全使用建议
This skill mostly does what it says (mirror a Shekel agent into the Arena), but it asks for very sensitive keys and relies on a third-party backend hosted at shekel-skill-backend.onrender.com. Before installing or running it: 1) Verify the repository origin and that the GitHub repos referenced (Virtual-Protocol/acp-cli and dgclaw-skill) are official and trustworthy. 2) Confirm with Shekel/Hyperliquid/Virtuals that the Render-hosted backend is legitimate (prefer keys only be sent to an official domain you recognize). 3) Inspect the included scripts (trade.ts, dgclaw.sh, mirror.ts) locally to ensure there is no unexpected network exfiltration or withdrawal logic; pay attention to execSync usage and how user-supplied strings are quoted/escaped. 4) Treat HL_API_WALLET_KEY as highly sensitive: use an API wallet with least privileges, confirm the 'cannot withdraw' assertion in writing, and rotate/revoke keys if you suspect compromise. 5) Run the skill in an isolated environment (dedicated VM or container) until you are comfortable with its behavior, and avoid pasting production keys into chat or committing them to version control.
功能分析
Type: OpenClaw Skill
Name: shekel-arena
Version: 1.0.9
The skill automates trade mirroring and requires sensitive Hyperliquid API private keys. The `mirror.ts` script contains a shell injection vulnerability in the `postSignal` function, where it executes `execSync` using data (trade reasoning and titles) fetched from an external backend (`shekel-skill-backend.onrender.com`) with inadequate sanitization (only double quotes are escaped, leaving backticks and subshells vulnerable). While the tool appears to serve its stated purpose and includes some security best practices like using trading-only API keys, the insecure handling of remote data in a high-privilege context is a significant risk.
能力标签
能力评估
Purpose & Capability
The name/description (mirror Shekel Hyperliquid agent into the Virtuals Degenerate Claw Arena) match the declared environment variables and the included mirror.ts code: SHEKEL_API_KEY is used to poll the user's Shekel account, DGCLAW_API_KEY is used for Arena/forum interactions, and Hyperliquid wallet key/address are used to place trades. These credentials are reasonable for a mirror-trading skill. One minor mismatch: the SKILL.md claims the Shekel backend is 'official' but points at shekel-skill-backend.onrender.com (a Render deployment) rather than a shekel.xyz domain, which warrants verification of authenticity.
Instruction Scope
SKILL.md walks the operator through cloning repos, running CLI tools, creating an agent, generating API wallets, storing secrets in a local .env, and enabling a cron job — all actions required to run a mirror trader. The runtime script reads .env, calls the Shekel backend, calls local scripts (trade.ts) via execSync, and may invoke dgclaw.sh to post forum signals. This stays within the stated purpose, but the use of child_process/execSync to run other scripts and shell commands means the skill will execute code on the host and construct shell commands from content — a modest attack surface if inputs are malicious or not properly escaped.
Install Mechanism
There is no automatic install spec (instruction-only), so nothing is forced onto disk by the registry. The guide instructs the user to git clone known GitHub repos and run npm install locally, which is normal for this workflow. The external API backend is hosted on Render (shekel-skill-backend.onrender.com) rather than an obvious official shekel.xyz hostname; that is not inherently malicious but is an operational/verification risk — you should confirm the backend's legitimacy before sending API keys to it.
Credentials
The skill requests multiple sensitive secrets (SHEKEL_API_KEY, DGCLAW_API_KEY, HL_API_WALLET_KEY, HL_API_WALLET_ADDRESS, HL_MASTER_ADDRESS). These are proportionate to a trading mirror in that the skill must read the master account and place trades on a mirror account. However, HL_API_WALLET_KEY is a private key; the SKILL.md asserts the API wallet 'cannot withdraw' — that is a security claim you should verify with the service provider before trusting the key. Storing these keys in a local ~/.dgclaw-skill/.env file is practical but increases risk if the host is not secure.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct the user to set up a cron job to run mirror.ts periodically (normal for this use case). The skill does not modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shekel-arena - 安装完成后,直接呼叫该 Skill 的名称或使用
/shekel-arena触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.9
- Added two new required environment variables: `DGCLAW_AGENT_ID` and `DGCLAW_SIGNALS_THREAD_ID`.
- Updated the `.env` configuration step to include instructions for retrieving and setting these new IDs from the Arena forums.
- Clarified that without these IDs, forum signal posting is disabled, but position mirroring will still work.
- Expanded the `.env` example and related documentation for greater clarity on required keys.
v1.0.8
shekel-arena v1.0.8
- Updated the installation step for joining the Arena: instructions now reference ./dgclaw.sh join at the project root instead of ./scripts/dgclaw.sh join.
- Added a clarifying note to check your working directory if you get a "not found" error for dgclaw.sh.
- Updated the Windows/WSL instructions for copying the mirror.ts script to specify <your-windows-username> instead of <username>, and included an example.
- No code changes; only documentation improvements for clarity and setup accuracy.
v1.0.7
shekel-arena 1.0.6
- Expanded and clarified onboarding instructions for improved step-by-step setup.
- Added explicit details for obtaining the Shekel API key via the official dashboard.
- Updated .env key descriptions and emphasized precise API key sourcing.
- Enhanced security and privacy disclosure section for transparency.
- Added macOS (launchd) instructions for auto-mirroring, in addition to Linux/WSL cron setup.
- Included more robust troubleshooting steps and clearer expected command outputs at each step.
v1.0.6
shekel-arena v1.0.6
- No code or documentation changes detected in this release.
- All SKILL.md content remains unchanged.
- Environment variables and external service requirements are the same as previous version.
v1.0.5
shekel-arena 1.0.5
- Added a CHANGELOG.md file for tracking changes.
- SKILL.md now defines required environment variables and external services in structured sections.
- Added a Security & Privacy Disclosure section to clarify key usage and data handling.
- Updated cron job instructions; removed unnecessary passwordless sudo advice and clarified system behavior.
- General documentation clean-up and specification improvements for easier setup and transparency.
v1.0.4
No user-facing changes in this release.
- Version bump to 1.0.4 with no detected modifications to documentation or source files.
v1.0.3
## shekel-arena v1.0.3 Changelog
- No code or documentation changes in this release.
- Version bump only; content and instructions remain unchanged.
v1.0.2
shekel-arena 1.0.2
- Clarified and simplified the revenue section—removed "Profit share: 10% of vault profits" for clarity.
- No code or functionality changes; documentation only.
v1.0.1
- No user-visible changes in this update.
- Version number updated to 1.0.1.
v1.0.0
- Initial release connects a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for automated shadow trading and leaderboard competition.
- Provides full setup instructions: agent creation, API key setup, Arena account funding, and mirror script installation.
- Automates mirroring of Shekel trades to Arena (with proportional scaling) via a mirror script running every 5 minutes.
- Enables leaderboard participation, copy-trading, and potential for subscriber revenue and profit share.
- Includes verification steps, troubleshooting resources, and detailed guidance for both Linux and Windows/WSL environments.
元数据
常见问题
Shekel Arena 是什么?
Connect a Shekel Hyperliquid trading agent to the Virtuals Degenerate Claw Arena for leaderboard competition, copy-trading, and subscriber revenue. Sets up a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 166 次。
如何安装 Shekel Arena?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shekel-arena」即可一键安装,无需额外配置。
Shekel Arena 是免费的吗?
是的,Shekel Arena 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Shekel Arena 支持哪些平台?
Shekel Arena 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shekel Arena?
由 Shekel.xyz(@shekel-xyz)开发并维护,当前版本 v1.0.9。
推荐 Skills