registry  /  @hfunlabs/hypurr-connect  /  0.1.21

@hfunlabs/hypurr-connect@0.1.21

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static source inspection. Network and key-handling behavior is aligned with a React wallet/auth connector for Hypurr and Hyperliquid.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the React provider or invokes login, wallet connection, trading, or agent approval flows
Impact
No evidence of unconsented credential harvesting, exfiltration, install-time execution, or project mutation
Mechanism
User-invoked auth, gRPC/HTTP API calls, and local browser session/agent storage
Rationale
The suspicious primitives are package-aligned browser wallet/auth functionality: OAuth token storage, local agent key generation, and API calls to documented Hypurr/Hyperliquid services. The prepare script is husky-only and there is no install-time execution path or evidence of exfiltration/control-surface mutation.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/privateKeySigner.tsREADME.md
Network endpoints11
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/infoapi.hyperliquid.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangeapi.hyperliquid-testnet.xyzapi.hyperliquid-testnet.xyz/infoapi.hyperliquid-testnet.xyz/exchangefonts.googleapis.com

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare script "husky", but no install/postinstall and no bundled hook files found
  • package.json depends on git source hypurr-grpc from github:Hypurr-Fun/hypurr-grpc#dev
  • Runtime stores Telegram JWT and generated agent private keys in browser localStorage by design
Evidence against
  • package.json main/module exports dist/index.js; no bin, install, postinstall, preinstall, or native binary entrypoints
  • src/grpc.ts and src/GrpcExchangeTransport.ts only call package-aligned Hypurr/Hyperliquid endpoints
  • src/HypurrConnectProvider.tsx token handling validates auth state and same-origin postMessage before accepting tokens
  • src/agent.ts generates agent keys locally with crypto.getRandomValues and only saves them under hypurr-connect localStorage keys
  • No child_process, eval, Function, dynamic require/import, filesystem access, persistence, or destructive behavior found
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 440 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Lifecycle Evidence

package.json has prepare script "husky", but no install/postinstall and no bundled hook files found

package.jsonView on unpkg
Published source reference
Low
Ai Review Evidence

package.json depends on git source hypurr-grpc from github:Hypurr-Fun/hypurr-grpc#dev

package.jsonView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowSuspicious Lifecycle Evidencepackage.json
LowAi Review Evidencepackage.json
LowAi Review Evidence