registry  /  @hfunlabs/hypurr-connect  /  0.1.23

@hfunlabs/hypurr-connect@0.1.23

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser React wallet/connect library that performs user-invoked auth, gRPC, and Hyperliquid API requests and stores tokens/agent keys in browser storage.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/uses the React provider and initiates wallet, Telegram auth, or trading actions.
Impact
Expected wallet connection and exchange API activity; no confirmed credential harvesting or unauthorized execution.
Mechanism
user-invoked wallet/auth/exchange client operations
Rationale
Static source inspection shows suspicious primitives are package-aligned browser wallet/auth behavior, not unconsented install/import execution or exfiltration. The git dependency and network usage increase supply-chain surface but do not establish malicious behavior in this package version.
Evidence
package.jsonsrc/agent.tssrc/privateKeySigner.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxdist/index.jslocalStorage:hypurr-connect-agent:<address>localStorage:hypurr-connect-telegram-auth-tokensessionStorage:hypurr-connect-telegram-auth-state/code-verifier/return-to
Network endpoints8
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid-testnet.xyzapi-ui.hyperliquid-testnet.xyz/exchangeapi.hyperliquid.xyz/exchangefonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Google+Sans+Code:wght@400;500;600;700&display=swap

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Read-only inspection confirms package uses browser localStorage/sessionStorage for app state and agent keys.
  • Runtime network calls go to Hypurr/Hyperliquid endpoints and configurable auth/token URLs.
Evidence against
  • package.json has no install/postinstall hook; prepare is husky only and not a consumer install payload.
  • No child_process, fs writes, eval/vm/Function, native binary loading, or persistence outside browser storage found by rg/source inspection.
  • src/agent.ts stores generated agent private keys locally and queries Hyperliquid extraAgents; no exfiltration path observed.
  • src/privateKeySigner.ts only wraps viem privateKeyToAccount and signs typed data when invoked.
  • src/grpc.ts and src/GrpcExchangeTransport.ts network endpoints are aligned with wallet/gRPC/exchange functionality.
  • dist/index.js matches bundled React/browser library behavior from src, with no import-time attack behavior identified.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 454 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Medium7 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowAi Review Evidence
LowAi Review Evidence