AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a browser wallet-connect library. User authentication and trading actions contact Hypurr and Hyperliquid services; EOA agent approval is wallet-prompted, but agent private keys are retained in browser localStorage.
Decision evidence
public snapshot- `src/agent.ts` generates 32-byte private keys and persists agent keys in `localStorage`.
- `src/HypurrConnectProvider.tsx` can auto-provision a signing agent on first L1 action after a wallet signature prompt.
- `src/HypurrConnectProvider.tsx` requests broad Telegram wallet/trading/agent scopes.
- `package.json` has only `prepare: husky`, with no install/preinstall/postinstall hook.
- Entrypoint `src/index.ts` only exports React/UI and transport APIs; no install-time execution found.
- Network calls target configured Hypurr endpoints and Hyperliquid APIs for documented auth, gRPC, and exchange actions.
- No Node filesystem access, shell execution, dynamic code loading, credential harvesting, or unrelated exfiltration found.
Source & flagged code
3 flagged · loading source`src/agent.ts` generates 32-byte private keys and persists agent keys in `localStorage`.
src/agent.tsView on unpkg`src/HypurrConnectProvider.tsx` can auto-provision a signing agent on first L1 action after a wallet signature prompt.
src/HypurrConnectProvider.tsxView on unpkg`src/HypurrConnectProvider.tsx` requests broad Telegram wallet/trading/agent scopes.
src/HypurrConnectProvider.tsxView on unpkg