AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a React wallet/auth connector that performs user-initiated Telegram, gRPC, and Hyperliquid API calls.
Decision evidence
public snapshot- package.json has prepare script "husky" and a git dependency on hypurr-grpc
- src/agent.ts stores generated agent private keys in localStorage by user address
- src/HypurrConnectProvider.tsx stores Telegram JWT in localStorage and exchanges auth codes over fetch
- package.json has no install/postinstall lifecycle hook and entrypoint is dist/index.js
- Network calls are aligned with wallet/auth functionality: Hypurr gRPC/auth/media and Hyperliquid APIs
- No child_process, fs file reads/writes, eval/Function, native binary loading, or environment harvesting found
- Agent key generation and signing are user-invoked wallet flows, with local storage only and no unrelated exfiltration
- Auth postMessage is restricted to window.location.origin and validates callback state
Source & flagged code
3 flagged · loading sourcepackage.json has prepare script "husky" and a git dependency on hypurr-grpc
package.jsonView on unpkgsrc/agent.ts stores generated agent private keys in localStorage by user address
src/agent.tsView on unpkgsrc/HypurrConnectProvider.tsx stores Telegram JWT in localStorage and exchanges auth codes over fetch
src/HypurrConnectProvider.tsxView on unpkg