Is anajuliabit/hyperliquid-trading safe?
https://github.com/openclaw/skills/tree/main/skills/anajuliabit/hyperliquid-trading
This skill is a functional Hyperliquid cryptocurrency trading integration with no evidence of prompt injection or active exfiltration during the audit. However, two significant risk factors warrant caution: (1) the hyperliquid npm package v1.7.7 carries 'hasInstallScript: true', meaning users who follow the setup instructions will execute unreviewed npm lifecycle code, and (2) the skill's core design puts an AI agent in autonomous control of live leveraged futures trading using a user's private key, creating an extreme financial risk surface if any other skill, prompt injection, or misinterpretation triggers a trade. The skill is not malicious by evidence, but its inherent risk profile requires deliberate user understanding before installation.
Category Scores
Findings (8)
HIGH hyperliquid npm package has install script (hasInstallScript: true) -45 ▶
The package-lock.json records [email protected] with 'hasInstallScript': true. This flag means the package declares npm lifecycle scripts (preinstall, install, or postinstall) that execute arbitrary Node.js code during 'npm install'. SKILL.md instructs users to run 'npm install' as the first setup step. The actual content of the install script is not visible in the provided evidence and cannot be independently verified without fetching the npm tarball.
HIGH AI agent given full autonomous control over live cryptocurrency account -55 ▶
The skill provides an agent with commands to execute market orders, cancel all outstanding orders, and close positions on a leveraged perpetual futures exchange using a user-supplied private key. There is no out-of-band confirmation mechanism hardcoded in the scripts — confirmation depends entirely on the agent's judgment as defined in SKILL.md. This creates a catastrophic risk surface: a prompt injection, misunderstood intent, or malicious co-installed skill could result in irreversible fund loss.
HIGH dotenv transitive dependency auto-loads .env files containing secrets -25 ▶
The hyperliquid npm package depends on [email protected]. When any of the skill's scripts are imported or run, dotenv may automatically load a .env file from the working directory or parent directories, exposing any secrets present (AWS keys, API tokens, other credentials) to the script's process environment. Scripts then transmit signed API requests over the network to exchange endpoints.
MEDIUM Private key exposed in process environment during all trading operations -20 ▶
SKILL.md instructs users to set HYPERLIQUID_PRIVATE_KEY as an environment variable. This key grants unrestricted signing authority over the user's Hyperliquid account. Any script, subprocess, or npm package with access to process.env during execution can read and potentially exfiltrate this key. The key is passed in-band alongside every trading command.
MEDIUM Skill scripts make live outbound connections to financial exchange and market data APIs -20 ▶
The included .mjs scripts are designed to POST to api.hyperliquid.xyz (mainnet trading) and query api.coingecko.com (market data). Once npm dependencies are installed and scripts execute, all user trading data, position sizes, account equity, and signed transactions are transmitted to these external endpoints. This is by design but represents a non-trivial data flow out of the agent's environment.
MEDIUM Canary credential files accessed during audit window -20 ▶
Inotify and auditd records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application default credentials were all opened and read. Timing analysis places the primary read events before the git clone (1771932773, during audit framework initialization) and again after post-scan (1771932795, during teardown verification). The canary integrity system confirms no modifications or content exfiltration occurred. These reads are attributed to the audit framework, not the skill code itself, because npm install was never executed.
LOW Overly broad skill trigger description may cause unintended activation -15 ▶
The SKILL.md frontmatter description includes 'Use when the user asks about... crypto positions' which is a generic phrase that could match conversations unrelated to Hyperliquid trading and cause the skill to activate in contexts where financial actions are inappropriate.
INFO No git hooks, gitmodules, gitattributes, or symlinks detected 0 ▶
Audit scans for .githooks/, .gitattributes, .gitmodules, and symlinks all returned empty results. The install does not use any git-level code execution vectors.