AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by static source inspection. Network and key-handling behavior is aligned with a React wallet/auth connector for Hypurr and Hyperliquid.
Decision evidence
public snapshot- package.json has prepare script "husky", but no install/postinstall and no bundled hook files found
- package.json depends on git source hypurr-grpc from github:Hypurr-Fun/hypurr-grpc#dev
- Runtime stores Telegram JWT and generated agent private keys in browser localStorage by design
- package.json main/module exports dist/index.js; no bin, install, postinstall, preinstall, or native binary entrypoints
- src/grpc.ts and src/GrpcExchangeTransport.ts only call package-aligned Hypurr/Hyperliquid endpoints
- src/HypurrConnectProvider.tsx token handling validates auth state and same-origin postMessage before accepting tokens
- src/agent.ts generates agent keys locally with crypto.getRandomValues and only saves them under hypurr-connect localStorage keys
- No child_process, eval, Function, dynamic require/import, filesystem access, persistence, or destructive behavior found
Source & flagged code
2 flagged · loading sourcepackage.json has prepare script "husky", but no install/postinstall and no bundled hook files found
package.jsonView on unpkgpackage.json depends on git source hypurr-grpc from github:Hypurr-Fun/hypurr-grpc#dev
package.jsonView on unpkg