AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a React wallet/auth connector whose network and localStorage usage are aligned with its documented Hypurr/Hyperliquid functionality.
Decision evidence
public snapshot- package.json has a prepare script of "husky", but no install/postinstall hook.
- package.json depends on git source hypurr-grpc, a supply-chain risk but not package code execution by itself.
- src/agent.ts stores generated agent private keys in browser localStorage for the app's wallet flow.
- src/index.ts only imports CSS and exports React components/helpers; no import-time exfiltration found.
- src/grpc.ts and src/HypurrConnectProvider.tsx network calls target Hypurr auth/gRPC endpoints for OAuth and service RPCs.
- src/GrpcExchangeTransport.ts and src/agent.ts call Hyperliquid API endpoints for exchange/info operations matching README purpose.
- No child_process, fs access, eval/new Function, process.env harvesting, or AI-agent control-surface writes found.
- README documents Telegram OAuth, gRPC backend, Hyperliquid exchange, and localStorage session/agent behavior.
Source & flagged code
3 flagged · loading sourcepackage.json has a prepare script of "husky", but no install/postinstall hook.
package.jsonView on unpkgpackage.json depends on git source hypurr-grpc, a supply-chain risk but not package code execution by itself.
package.jsonView on unpkgsrc/agent.ts stores generated agent private keys in browser localStorage for the app's wallet flow.
src/agent.tsView on unpkg