Is k0nkupa/hyperliquid safe?
https://github.com/openclaw/skills/tree/main/skills/k0nkupa/hyperliquid
The k0nkupa/hyperliquid skill presents a coherent read-only Hyperliquid market data interface with a clean SKILL.md (no prompt injection), a clean install footprint (only GitHub traffic observed), and intact canary files. The primary unresolved risk is the three JavaScript execution scripts (.mjs extension) that were missed by the audit framework's file extraction and therefore could not be inspected for credential harvesting or exfiltration logic; this gap prevents a SAFE determination. Secondary concerns include the external HTTP POST dependency to api.hyperliquid.xyz with unverified request construction, and the home-directory config file that stores user EVM wallet addresses.
Category Scores
Findings (7)
HIGH JavaScript execution scripts not analyzed (.mjs files) -25 ▶
The audit framework's file extraction step used a glob pattern matching *.js but not *.mjs, causing hyperliquid_api.mjs, hyperliquid_chat.mjs, and hyperliquid_config.mjs to be omitted from source analysis. These are the primary executable artifacts of the skill and represent the highest-risk uninspected surface. Their content could include credential file reads, environment variable harvesting, or data encoding for exfiltration via the HTTP API endpoint.
MEDIUM Canary credential files accessed post-installation -20 ▶
Audit monitoring detected read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at two distinct points during the audit session. The second batch (audit timestamp 1771928573.976) occurs after skill installation is complete. Both batches are READ-only and canary integrity confirms no modification; the most probable explanation is the audit framework performing pre/post baseline scans. However, without SYSCALL-level pid correlation, definitive attribution is not possible.
MEDIUM Outbound HTTP POST to external API with unverified request construction -12 ▶
The skill directs the agent to make HTTP POST requests to https://api.hyperliquid.xyz/info. Since the request-building code in hyperliquid_api.mjs was not analyzed, it cannot be confirmed that requests contain only the documented API payloads. A malicious implementation could append environment variables, file contents, or user data to POST bodies.
MEDIUM Skill writes configuration data outside skill directory -10 ▶
The skill explicitly instructs storage of user-provided EVM wallet addresses in ~/.clawdbot/hyperliquid/config.json. This write target is in the user home directory outside the skill sandbox. While the stated purpose is alias persistence, this path could be read by other skills or processes, and the unverified config writer script could write additional data beyond account aliases.
LOW EVM wallet address handling creates privacy exposure -15 ▶
The skill accepts, stores, and queries on-chain EVM addresses provided by users. If the unverified scripts transmit these addresses to non-Hyperliquid endpoints, or if a future update modifies the API target, user wallet addresses and associated position/balance data could be exposed to a third party.
LOW Background connections to Ubuntu infrastructure during install window -8 ▶
Network connections to 91.189.91.48:443 (Ubuntu security infrastructure) and 185.125.188.57:443 (Canonical/Snap) were observed during the installation window. These are attributable to /etc/update-motd.d/ MOTD scripts firing at SSH login and are unrelated to the skill installation, but inflate the apparent network footprint.
INFO External API URL embedded in SKILL.md -10 ▶
SKILL.md contains a hardcoded reference to https://api.hyperliquid.xyz/info directing the agent to make POST requests. This is the legitimate Hyperliquid public Info API and is consistent with the skill's stated purpose. No other external URLs are present.