registry  /  @hfunlabs/hypurr-connect  /  0.1.31

@hfunlabs/hypurr-connect@0.1.31

React authentication and wallet connectivity library for the [Hyperliquid](https://hyperliquid.xyz) decentralized exchange via the [Hypurr](https://hypurr.fun) gRPC backend. Provides two authentication paths — **Telegram OAuth** and **EOA wallet** (MetaMa

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and localStorage use are aligned with a React wallet/auth connector and are activated by application/user flows, not package install.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of HypurrConnectProvider, Telegram auth, wallet/agent approval, or exchange transport methods.
Impact
User-authorized authentication and trading-agent operations; no source evidence of stealth exfiltration or install-time mutation.
Mechanism
OAuth/gRPC/Hyperliquid wallet connector with local browser token and agent-key storage.
Rationale
Static source inspection shows a browser React connector for Hypurr/Hyperliquid with expected runtime API calls and local auth/key persistence, but no install-time execution or stealth credential/file exfiltration. The suspicious scanner hits are package-aligned primitives rather than concrete malicious behavior.
Evidence
package.jsonsrc/grpc.tssrc/GrpcExchangeTransport.tssrc/agent.tssrc/HypurrConnectProvider.tsxsrc/privateKeySigner.tssrc/AddWalletModal.tsxdist/index.js
Network endpoints11
grpc.hypurr.funauth.hypurr.fun/loginmedia.hypurr.funapi.hyperliquid.xyzapi.hyperliquid.xyz/infoapi.hyperliquid.xyz/exchangeapi.hyperliquid-testnet.xyzapi.hyperliquid-testnet.xyz/infoapi.hyperliquid-testnet.xyz/exchangeapi-ui.hyperliquid-testnet.xyz/exchangefonts.googleapis.com

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Uses runtime network calls to package/product endpoints: grpc.hypurr.fun, auth.hypurr.fun, media.hypurr.fun, Hyperliquid APIs.
  • Stores Telegram tokens and generated/imported agent private keys in browser localStorage for the wallet/auth workflow.
  • Manifest has a prepare script (husky) and a git dependency (hypurr-grpc).
Evidence against
  • package.json has no preinstall/install/postinstall hooks; prepare is dev/VCS tooling and no .husky files are present in the package file list.
  • src/grpc.ts only constructs gRPC-web clients using configurable/default Hypurr backend URL.
  • src/HypurrConnectProvider.tsx performs explicit OAuth/token exchange and user-approved Hyperliquid agent approval flows.
  • src/GrpcExchangeTransport.ts routes user exchange requests via gRPC and direct Hyperliquid POSTs; no import-time execution observed.
  • src/agent.ts generates local agent keys with crypto.getRandomValues and saves/loads only under hypurr-connect localStorage keys.
  • No child_process, fs writes, eval/new Function, dynamic import, native binary loading, AI-agent control-surface mutation, or credential harvesting beyond app auth state found.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependencyNoLicense
scanned 23 file(s), 594 KB of source, external domains: api-ui.hyperliquid-testnet.xyz, api.hyperliquid-testnet.xyz, api.hyperliquid.xyz, auth.hypurr.fun, fonts.googleapis.com, grpc.hypurr.fun, media.hypurr.fun, www.w3.org

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Medium8 Low
MediumNetwork
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License
LowAi Review Evidence
LowAi Review Evidence
LowSuspicious Dependency Evidence