AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a React wallet/auth SDK that performs expected OAuth, gRPC, Hyperliquid API, and localStorage operations for user-invoked wallet flows.
Decision evidence
public snapshot- package.json has prepare script "husky" and a git dependency hypurr-grpc#dev, but no package code executed in inspected source.
- src/AddWalletModal.tsx can send a user-entered private key via telegramClient.hyperliquidWalletImport when the user chooses import.
- src/agent.ts stores generated agent private keys in localStorage under hypurr-connect-agent:*.
- package.json main/module point to dist/index.js; no bin entry and no install/postinstall/preinstall scripts.
- src/grpc.ts only creates gRPC clients for https://grpc.hypurr.fun or caller-supplied config.
- src/HypurrConnectProvider.tsx OAuth and token exchange use auth.hypurr.fun or caller-supplied authHubUrl with state/PKCE checks.
- src/GrpcExchangeTransport.ts and src/agent.ts call Hyperliquid API endpoints for exchange/info requests, matching package purpose.
- No child_process, fs writes, eval/vm/Function, native binary loading, persistence mechanisms, or prompt/agent-control file writes found.
- Network and credential handling are user-invoked wallet/auth flows documented by README.md.
Source & flagged code
3 flagged · loading sourcepackage.json has prepare script "husky" and a git dependency hypurr-grpc#dev, but no package code executed in inspected source.
package.jsonView on unpkgsrc/AddWalletModal.tsx can send a user-entered private key via telegramClient.hyperliquidWalletImport when the user chooses import.
src/AddWalletModal.tsxView on unpkgsrc/agent.ts stores generated agent private keys in localStorage under hypurr-connect-agent:*.
src/agent.tsView on unpkg