Is hyperliquid-trading safe?

https://clawhub.ai/anajuliabit/hyperliquid-trading

52
CAUTION

This Hyperliquid trading skill is functionally legitimate but carries significant inherent risk due to its handling of cryptocurrency private keys and execution of real financial transactions through an AI agent. The most concerning finding is the hyperliquid npm package's install script (hasInstallScript: true), which is an unaudited code execution vector. Filesystem monitoring also detected reads of .aws/credentials and .env files during installation. While no active malicious behavior was observed (no network exfiltration, canary files intact), the combination of private key handling, irreversible financial operations, and third-party install scripts makes this skill high-risk for any user with real funds.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (11)

CRITICAL npm package has install script (hasInstallScript) -40

The hyperliquid npm dependency (v1.7.7) declares hasInstallScript: true in the package-lock.json. This means arbitrary code runs during npm install before the user ever interacts with the skill. Install scripts are a well-known supply chain attack vector.

HIGH Sensitive files accessed during install phase -35

Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, and .openclaw/agents/main/agent/auth-profiles.json during the install/clone phase. While some of these may be the OpenClaw runtime reading its own config, the .aws/credentials access is suspicious in the context of a trading skill.

HIGH Private key exposure through environment variables -20

The skill instructs the agent to pass HYPERLIQUID_PRIVATE_KEY as an environment variable in shell commands. This private key controls real funds on the Hyperliquid exchange. Any dependency that logs process.env, any crash report, or any verbose error output could leak this key. The key appears in command history and potentially in agent conversation logs.

HIGH Irreversible financial operations via agent commands -40

The skill enables an AI agent to execute real cryptocurrency trades including market orders. Agent hallucinations, misinterpretations, or prompt injections from other skills could cause unauthorized trades resulting in permanent financial loss. Market orders on perpetual futures with leverage amplify this risk.

MEDIUM Autonomous multi-step trade workflows -15

SKILL.md defines workflows where the agent autonomously chains multiple operations (price check → balance check → confirm → execute trade). While safety guidelines exist, they are advisory text that another skill's prompt injection could override, potentially causing the agent to skip confirmation steps.

MEDIUM Multiple executable scripts with network access -15

The skill includes 5 executable .mjs scripts that make network requests to external APIs (Hyperliquid API, CoinGecko API). These scripts have full Node.js capabilities and are executed by the agent on user request.

MEDIUM dotenv dependency reads .env files automatically -10

The hyperliquid npm package depends on dotenv which automatically reads .env files from the working directory. This could expose any secrets stored in .env files to the skill's scripts, beyond just the intended Hyperliquid credentials.

LOW Skill encourages querying arbitrary blockchain addresses -5

The skill includes functionality to query any Ethereum address's positions, normalizing the pattern of the agent making external queries on arbitrary user-provided addresses. While this is read-only public data, it establishes a pattern that could be exploited.

INFO No explicit prompt injection or persona override detected 0

The SKILL.md does not contain hidden instructions, invisible unicode, system prompt overrides, or attempts to manipulate agent behavior beyond its stated trading purpose. The instructions are straightforward and transparent.

INFO No outbound network connections during install 0

The network monitor and firewall detected no outbound connections during the clone and install phase, which is positive. The hasInstallScript from the hyperliquid package did not trigger observable network exfiltration in this audit run.

INFO No git hooks, submodules, or symlinks detected 0

The skill does not include git hooks, git submodules, or symlinks — common vectors for stealth code execution are absent.