registry  /  @hfunlabs/hypurr-connect  /  0.1.26

@hfunlabs/hypurr-connect@0.1.26

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a React wallet/auth SDK that performs expected OAuth, gRPC, Hyperliquid API, and localStorage operations for user-invoked wallet flows.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the library injects CSS; network/auth/wallet actions require app/user-invoked SDK methods or UI actions.
Impact
No evidence of unconsented credential harvesting, exfiltration, destructive behavior, or install-time execution beyond husky prepare metadata.
Mechanism
Package-aligned wallet connectivity and signing transport
Rationale
Static inspection found sensitive primitives, but they are package-aligned wallet authentication and trading flows gated by user/app actions. The prepare script and git dependency are notable supply-chain hygiene concerns, not evidence of malicious behavior in this extracted package.
Evidence
package.jsonREADME.mdsrc/index.tssrc/grpc.tssrc/GrpcExchangeTransport.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/AddWalletModal.tsxsrc/privateKeySigner.tsdist/index.jslocalStorage:hypurr-connect-tg-jwtlocalStorage:hypurr-connect-agent:*sessionStorage:hypurr-connect-telegram-auth-statesessionStorage:hypurr-connect-code-verifier:*sessionStorage:hypurr-connect-redirect-uri:*
Network endpoints11
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/exchangeapi.hyperliquid.xyz/infoapi.hyperliquid-testnet.xyzapi.hyperliquid-testnet.xyz/exchangeapi.hyperliquid-testnet.xyz/infoapi-ui.hyperliquid-testnet.xyz/exchangefonts.googleapis.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has prepare script "husky" and a git dependency hypurr-grpc#dev, but no package code executed in inspected source.
  • src/AddWalletModal.tsx can send a user-entered private key via telegramClient.hyperliquidWalletImport when the user chooses import.
  • src/agent.ts stores generated agent private keys in localStorage under hypurr-connect-agent:*.
Evidence against
  • package.json main/module point to dist/index.js; no bin entry and no install/postinstall/preinstall scripts.
  • src/grpc.ts only creates gRPC clients for https://grpc.hypurr.fun or caller-supplied config.
  • src/HypurrConnectProvider.tsx OAuth and token exchange use auth.hypurr.fun or caller-supplied authHubUrl with state/PKCE checks.
  • src/GrpcExchangeTransport.ts and src/agent.ts call Hyperliquid API endpoints for exchange/info requests, matching package purpose.
  • No child_process, fs writes, eval/vm/Function, native binary loading, persistence mechanisms, or prompt/agent-control file writes found.
  • Network and credential handling are user-invoked wallet/auth flows documented by README.md.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 471 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

3 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Dependency Evidence

package.json has prepare script "husky" and a git dependency hypurr-grpc#dev, but no package code executed in inspected source.

package.jsonView on unpkg
src/AddWalletModal.tsxView file
Published source reference
Low
Ai Review Evidence

src/AddWalletModal.tsx can send a user-entered private key via telegramClient.hyperliquidWalletImport when the user chooses import.

src/AddWalletModal.tsxView on unpkg
src/agent.tsView file
Published source reference
Low
Ai Review Evidence

src/agent.ts stores generated agent private keys in localStorage under hypurr-connect-agent:*.

src/agent.tsView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowSuspicious Dependency Evidencepackage.json
LowAi Review Evidencesrc/AddWalletModal.tsx
LowAi Review Evidencesrc/agent.ts