registry  /  @hfunlabs/hypurr-connect  /  0.1.28

@hfunlabs/hypurr-connect@0.1.28

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface by static source inspection. The package is a React wallet/auth connector with runtime OAuth, gRPC, and Hyperliquid API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing/using React provider, login, or EOA wallet actions at runtime
Impact
Expected authentication, token refresh, wallet/agent signing, and exchange API access for the library
Mechanism
User-invoked auth and trading client operations
Rationale
The suspicious network and token handling are aligned with the package's documented Hypurr/Hyperliquid wallet connector purpose, and source inspection found no install-time payload, exfiltration, persistence, or foreign AI-agent control-surface mutation. The git dependency and prepare husky script are development/package-maintenance signals rather than concrete malicious behavior in the published source.
Evidence
package.jsonsrc/index.tssrc/grpc.tssrc/HypurrConnectProvider.tsxsrc/agent.tssrc/privateKeySigner.tssrc/types.tsdist/index.js
Network endpoints9
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyz/infoapi.hyperliquid-testnet.xyz/infoapi.hyperliquid.xyz/exchangeapi.hyperliquid-testnet.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangefonts.googleapis.com/css2

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare:"husky", but no postinstall/preinstall and no .husky files in package listing
  • Runtime stores auth/agent data in browser localStorage/sessionStorage
  • EOA flow generates and stores a local agent private key after wallet signing
Evidence against
  • package.json entrypoints are dist/index.js and src/index.ts React exports, not install-time code
  • rg found no child_process, fs writes, eval/new Function, dynamic require, AI-agent config writes, or shell persistence
  • Network calls are product-aligned: Hypurr auth/gRPC and Hyperliquid info/exchange APIs
  • Telegram OAuth uses state/code verifier and configured/default auth hub token exchange
  • Agent approval requires caller-provided wallet signer and posts signed approveAgent to Hyperliquid
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 22 file(s), 484 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Lifecycle Evidence

package.json has prepare:"husky", but no postinstall/preinstall and no .husky files in package listing

package.jsonView on unpkg

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowSuspicious Lifecycle Evidencepackage.json
LowAi Review Evidence
LowAi Review Evidence