Is chipagosfinest/hyperliquid-dex safe?

https://github.com/openclaw/skills/tree/main/skills/chipagosfinest/hyperliquid-dex

91
SAFE

The chipagosfinest/hyperliquid-dex skill is a documentation-only Hyperliquid DEX integration containing no executable code, no prompt injection, and no malicious installation behavior. The skill is explicitly designed for the ClawdBot platform and transparently routes all queries through ClawdBot's Railway-hosted proxy rather than calling Hyperliquid directly, which is the intended architecture but means ClawdBot's infrastructure receives and can log all user wallet addresses and financial position data. Users should understand this privacy trade-off before installation, particularly if using the skill to monitor sensitive trading positions.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM Financial position data routed through ClawdBot third-party proxy -15

All Hyperliquid API queries are proxied through ClawdBot's Railway-hosted API server rather than calling the Hyperliquid public API (api.hyperliquid.xyz) directly. While this is the documented and intended architecture for ClawdBot platform skills, it means ClawdBot's infrastructure receives, and can log or aggregate, every wallet address queried, query frequency, and all returned financial data including account values, open positions, leverage ratios, and liquidation prices. Users installing this skill are implicitly consenting to share their Hyperliquid query patterns with ClawdBot.

LOW TRADING_WALLET_ADDRESS env var transmitted to ClawdBot servers -5

The user's configured trading wallet address is read from the TRADING_WALLET_ADDRESS environment variable and sent to ClawdBot's API server with each query. While Hyperliquid positions are publicly visible on-chain, routing this env var through a third-party server explicitly reveals which wallet address the user has designated as their primary trading account, enabling persistent tracking.

LOW Undocumented CLAWDBOT_API_URL runtime dependency -8

The skill's API endpoint specification uses {CLAWDBOT_API_URL} as a template variable, but this environment variable is not declared in the skill's env vars section — only TRADING_WALLET_ADDRESS is documented there. This creates an undocumented runtime dependency. If this variable can be set by a user or injected by another skill, it could potentially redirect API calls to an attacker-controlled server that returns falsified position data.

LOW Dependency on ClawdBot Railway server integrity for financial data -22

The skill has no fallback to the direct Hyperliquid API. If ClawdBot's Railway-hosted server is compromised, misconfigured, or intentionally altered, the agent receives whatever data that server returns — including potentially fabricated account values, false liquidation prices, or manipulated PnL figures. A user relying on this skill for risk management decisions could be misled without any indication of tampering.

INFO Documentation-only skill — no executable attack surface 0

The skill is composed entirely of two static files: SKILL.md (natural language documentation) and _meta.json (metadata). There is no executable code, no package manager scripts, no git hooks, no binary blobs, and no symlinks. The installation cannot trigger code execution of any kind.

INFO Canary file accesses are audit framework artifacts, not skill behavior 0

Filesystem monitoring detected reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points: at audit initialization (timestamp 1771733801, ~6 seconds before install) and at audit completion (timestamp 1771733818, after all skill analysis). Both access windows are consistent with the Oathe audit framework's canary file setup and post-install integrity verification routines. The skill has no executable code and therefore no mechanism to access these files. The canary integrity check independently confirms all files are intact.

INFO Clean installation with expected network activity only -5

Installation contacted only github.com (140.82.121.3:443) via HTTPS for the sparse git clone of the skill subpath. The pre-existing connection to 91.189.91.49 (Canonical Ubuntu infrastructure) was active before installation began and is attributable to standard system operations. No unexpected DNS lookups, no connections to ClawdBot's servers (API calls only occur at skill invocation time, not installation), and no filesystem changes outside the designated skill directory.