AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Network and storage behavior is aligned with a React wallet/auth SDK for Hypurr and Hyperliquid.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports the React SDK and invokes login, wallet, or exchange APIs in a browser app.
Impact
Stores auth/session material locally and sends signed/user-approved trading actions to configured Hypurr/Hyperliquid endpoints; no evidence of covert harvesting or exfiltration.
Mechanism
User-invoked OAuth, gRPC, Hyperliquid API calls, and browser local/session storage.
Rationale
Static source inspection shows a domain-aligned browser React SDK with OAuth, gRPC, Hyperliquid trading, and local browser session caching, but no covert execution or exfiltration path. The scanner's network and git-dependency hints are explained by documented package functionality.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/privateKeySigner.tsREADME.md
Network endpoints9
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/infoapi.hyperliquid.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangeapi.hyperliquid-testnet.xyz/infofonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Google+Sans+Code:wght@400;500;600;700&display=swap
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json prepare is only "husky"; no install/postinstall hook or bin entrypoint.
- src/index.ts only exports React components/types and imports CSS; no import-time exfiltration logic found.
- src/grpc.ts uses configurable gRPC transport defaulting to Hypurr backend.
- src/HypurrConnectProvider.tsx stores Telegram JWT and generated EOA agent key in browser storage for documented auth/session flows.
- src/GrpcExchangeTransport.ts routes user-invoked exchange/info requests to Hypurr/Hyperliquid APIs.
- No child_process, fs writes, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsUrlStrings
GitDependencyNoLicense
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium5 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License