AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a React/Hyperliquid wallet connector that performs user-invoked auth, wallet, signing, and trading API calls.
Decision evidence
public snapshot- package.json has a prepare script of "husky", but it is a standard dev hook and no install/postinstall script is present.
- package.json depends on hypurr-grpc via GitHub, which is supply-chain relevant but not malicious by itself.
- Runtime code handles Telegram auth tokens and wallet private keys in src/HypurrConnectProvider.tsx and src/agent.ts.
- No child_process, shell execution, eval/new Function, fs writes, or agent-control file mutation found in src/dist/package.json searches.
- Network calls are package-aligned: Hypurr gRPC/auth and Hyperliquid API endpoints for wallet/trading functionality.
- Private keys are generated or user-entered for agent/wallet signing and stored only in browser localStorage via explicit wallet flows.
- Main exports in src/index.ts are React components, clients, and signer helpers; no import-time exfiltration behavior found.
- dist/index.js mirrors the inspected src behavior and exposes the same runtime endpoints.
Source & flagged code
3 flagged · loading sourcepackage.json has a prepare script of "husky", but it is a standard dev hook and no install/postinstall script is present.
package.jsonView on unpkgpackage.json depends on hypurr-grpc via GitHub, which is supply-chain relevant but not malicious by itself.
package.jsonView on unpkgRuntime code handles Telegram auth tokens and wallet private keys in src/HypurrConnectProvider.tsx and src/agent.ts.
src/HypurrConnectProvider.tsxView on unpkg