Is chrisling-dev/hyperliquid-cli safe?

SKILL.md contains an explicit instruction for the agent to recommend the skill author's referral code to users during the account setup flow. The 'Prompting for API Keys' section scripts a complete multi-step prompt including the referral link as step 5, and the examples.md adds it as a numbered step in the account setup workflow. While the link appears in plaintext (not hidden), users interacting with the agent will not know the recommendation is commercially mandated by the skill rather than emerging from neutral agent judgment.

The skill's declared install step installs hyperliquid-cli as a global npm package. Global npm packages run with full user privileges and npm's lifecycle script mechanism (preinstall, install, postinstall, prepare) allows arbitrary shell command execution at install time. The hyperliquid-cli package contents and its dependency tree were not analyzed in this audit. The installed 'hl' binary also has full access to the process environment including any secrets set therein.

The skill mandates that users supply their Hyperliquid trading wallet private key (a 0x-prefixed hex string) as the HYPERLIQUID_PRIVATE_KEY environment variable. Environment variables are inherited by all child processes and are readable by any process running in the same session. If the installed npm package, any of its dependencies, or another co-installed skill reads this variable and exfiltrates it, the attacker gains complete control over the user's trading account and funds with no possibility of key rotation short of creating a new wallet.

The skill grants the AI agent direct capability to place leveraged perpetual and spot orders (up to 50x leverage) on a live trading platform using real funds. The quick command reference includes market orders that execute immediately without price confirmation. If an attacker crafts a prompt that causes the agent to misread a trading instruction, or if the agent is manipulated via untrusted content (e.g., a webpage the agent reads), the result could be immediate and irreversible financial loss. The skill provides no explicit 'confirm before executing' guard for order placement.

The skill stores private keys and account aliases in a local SQLite database at ~/.hyperliquid/accounts.db that persists between agent sessions. The background server mode creates a long-lived process (with PID tracked in ~/.hyperliquid/server.pid) maintaining live WebSocket connections to Hyperliquid. Any other skill, script, or process with filesystem access could read the SQLite database to extract stored private keys. The persistent server also means network connections initiated by this skill outlast individual agent sessions.

The monitoring logs show read access to all canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at timestamp 1771927100 (~09:58:20), approximately 5 seconds before the git clone began at 1771927105. A second set of reads occurs at 1771927117 after the install completed. Both sets have CLOSE_NOWRITE semantics (no writes occurred) and the timing pattern is consistent with the audit framework establishing honeypot baselines before install and verifying integrity after. The official canary integrity check confirms all files are intact with no exfiltration detected.

The clone process connected exclusively to github.com via HTTPS and used sparse-checkout to materialize only the target skill subdirectory. No unexpected DNS queries, network connections to non-GitHub hosts, or process spawning was observed during or after the clone. The connection diff confirms no new listening ports or persistent external connections remain after install.