registry  /  @hfunlabs/hypurr-connect  /  0.1.24

@hfunlabs/hypurr-connect@0.1.24

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Network and storage behavior is aligned with a React wallet/auth SDK for Hypurr and Hyperliquid.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the React SDK and invokes login, wallet, or exchange APIs in a browser app.
Impact
Stores auth/session material locally and sends signed/user-approved trading actions to configured Hypurr/Hyperliquid endpoints; no evidence of covert harvesting or exfiltration.
Mechanism
User-invoked OAuth, gRPC, Hyperliquid API calls, and browser local/session storage.
Rationale
Static source inspection shows a domain-aligned browser React SDK with OAuth, gRPC, Hyperliquid trading, and local browser session caching, but no covert execution or exfiltration path. The scanner's network and git-dependency hints are explained by documented package functionality.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/privateKeySigner.tsREADME.md
Network endpoints9
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/infoapi.hyperliquid.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangeapi.hyperliquid-testnet.xyz/infofonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Google+Sans+Code:wght@400;500;600;700&display=swap

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json prepare is only "husky"; no install/postinstall hook or bin entrypoint.
    • src/index.ts only exports React components/types and imports CSS; no import-time exfiltration logic found.
    • src/grpc.ts uses configurable gRPC transport defaulting to Hypurr backend.
    • src/HypurrConnectProvider.tsx stores Telegram JWT and generated EOA agent key in browser storage for documented auth/session flows.
    • src/GrpcExchangeTransport.ts routes user-invoked exchange/info requests to Hypurr/Hyperliquid APIs.
    • No child_process, fs writes, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    GitDependencyNoLicense
    scanned 22 file(s), 456 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium5 Low
    MediumNetwork
    MediumGit Dependency
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License