registry  /  @hfunlabs/hypurr-connect  /  0.1.22

@hfunlabs/hypurr-connect@0.1.22

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a React/Hyperliquid wallet connector that performs user-invoked auth, wallet, signing, and trading API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the library and invokes provider/login/wallet/trading flows in a browser app.
Impact
Expected handling of Telegram tokens, local agent keys, and Hyperliquid transactions; no evidence of unconsented exfiltration or install-time execution.
Mechanism
User-invoked wallet connector and API client
Rationale
Static inspection found sensitive wallet/token handling and network access, but these are aligned with the package's wallet connector purpose and are activated by user/browser flows. No concrete malicious install-time, import-time, exfiltration, persistence, destructive, or AI-agent control-surface behavior was found.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/agent.tssrc/privateKeySigner.tssrc/HypurrConnectProvider.tsxdist/index.jslocalStorage:hypurr-connect-agent:<address>localStorage:hypurr-connect:telegram-auth-tokenlocalStorage:hypurr-telegram-auth-tokensessionStorage:hypurr-connect:telegram-auth-state
Network endpoints11
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/infoapi.hyperliquid.xyz/exchangeapi.hyperliquid-testnet.xyzapi.hyperliquid-testnet.xyz/infoapi.hyperliquid-testnet.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangefonts.googleapis.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has a prepare script of "husky", but it is a standard dev hook and no install/postinstall script is present.
  • package.json depends on hypurr-grpc via GitHub, which is supply-chain relevant but not malicious by itself.
  • Runtime code handles Telegram auth tokens and wallet private keys in src/HypurrConnectProvider.tsx and src/agent.ts.
Evidence against
  • No child_process, shell execution, eval/new Function, fs writes, or agent-control file mutation found in src/dist/package.json searches.
  • Network calls are package-aligned: Hypurr gRPC/auth and Hyperliquid API endpoints for wallet/trading functionality.
  • Private keys are generated or user-entered for agent/wallet signing and stored only in browser localStorage via explicit wallet flows.
  • Main exports in src/index.ts are React components, clients, and signer helpers; no import-time exfiltration behavior found.
  • dist/index.js mirrors the inspected src behavior and exposes the same runtime endpoints.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 441 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Lifecycle Evidence

package.json has a prepare script of "husky", but it is a standard dev hook and no install/postinstall script is present.

package.jsonView on unpkg
Published source reference
Low
Ai Review Evidence

package.json depends on hypurr-grpc via GitHub, which is supply-chain relevant but not malicious by itself.

package.jsonView on unpkg
src/HypurrConnectProvider.tsxView file
Published source reference
Low
Ai Review Evidence

Runtime code handles Telegram auth tokens and wallet private keys in src/HypurrConnectProvider.tsx and src/agent.ts.

src/HypurrConnectProvider.tsxView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowSuspicious Lifecycle Evidencepackage.json
LowAi Review Evidencepackage.json
LowAi Review Evidencesrc/HypurrConnectProvider.tsx