Back to skill

Security audit

Hyperliquid Trading & Analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Hyperliquid trading tool, but it gives an agent live trading power and stores portfolio state in an unexpected local file path.

Review carefully before installing. Use testnet or a dedicated limited wallet, avoid exposing a main wallet private key to the agent environment, manually approve every order or cancel-all action, verify open orders directly, and change or remove the hard-coded trading-state path if you do not want local portfolio data written there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This script materially diverges from the declared Hyperliquid skill by introducing standalone CoinGecko-based market analysis and trade recommendations. In a trading skill, off-scope logic is dangerous because it can influence user decisions or downstream automated actions using an external data source and simplistic heuristics that are not clearly tied to Hyperliquid portfolio management.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script generates generic LONG/SHORT signals from recent CoinGecko price and volume changes using very thin logic, despite the skill being described as Hyperliquid-specific trading and portfolio tooling. In this context, unjustified signal generation increases the chance that the agent will present speculative advice as actionable guidance, which is especially risky when the surrounding skill can place trades.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script is described and named as a position-check utility, but it also mutates a local trading-state file by recording live positions, timestamps, and account size. In a trading skill, unexpected state mutation can create integrity and privacy risks: downstream tools may trust this file for automation, and stale or tampered local state could influence later trading decisions or expose sensitive portfolio data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The `orders` command is mislabeled and returns `assetPositions` instead of open orders, which can mislead a user or downstream agent into believing there are no outstanding orders or into acting on incorrect account state. In a trading skill, state confusion is security-relevant because it can drive unsafe decisions such as placing duplicate orders or failing to cancel existing exposure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language examples encourage high-level commands such as entering or closing positions without explicit confirmation, sizing, or guardrails. In an AI-agent context, broad action-oriented prompts can increase the chance of unintended trade execution, especially if the surrounding system maps vague user requests directly to trading actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description uses broad activation language like general trading, portfolio status, crypto positions, and execute trades, which can cause the agent to invoke this skill for loosely related requests. Because the skill enables real-money trading actions, overbroad routing increases the chance of unintended or premature trade execution in response to ambiguous user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to set HYPERLIQUID_PRIVATE_KEY for trading but does not warn that this credential is highly sensitive and must never be displayed, logged, echoed, or included in chat/tool output. In an agent setting, omission of this guidance raises the risk of accidental secret disclosure through command construction, debugging, or error reporting, which could lead to full account compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents market trades and cancel-all operations without a clear warning that these actions can cause immediate financial loss, position changes, or irreversible order cancellation. Even though the workflow mentions confirmation, the lack of explicit risk framing around destructive commands makes unsafe execution more likely in ambiguous or hurried interactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file documents signed trading and cancellation endpoints, including order placement and cancel-all behavior, without explicit warnings that these actions can directly affect live funds and positions. In an agent skill context, examples like these can normalize or enable execution of high-impact account actions without sufficient user confirmation or guardrails, increasing the risk of unintended or unauthorized trades.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script emits direct trading recommendations such as entering LONG or SHORT positions without any warning that the output is speculative, incomplete, or financially risky. Because this skill operates in a trading context, omission of risk disclosures makes the recommendation more likely to be trusted and acted upon, increasing the chance of financial loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill can place market/limit orders and cancel all orders immediately based only on CLI arguments and the presence of a private key, with no runtime confirmation, preview, or explicit acknowledgment of side effects. In the context of an agent skill for live perpetual futures trading, this materially increases the risk of accidental or unauthorized destructive actions, especially if invoked by an LLM or through misunderstood user intent.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"version": "1.0.0",
  "type": "module",
  "dependencies": {
    "ethers": "^6.9.0",
    "hyperliquid": "^1.7.7",
    "node-fetch": "^3.3.2",
    "ws": "^8.19.0"
Confidence
93% confidence
Finding
"ethers": "^6.9.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"type": "module",
  "dependencies": {
    "ethers": "^6.9.0",
    "hyperliquid": "^1.7.7",
    "node-fetch": "^3.3.2",
    "ws": "^8.19.0"
  }
Confidence
93% confidence
Finding
"hyperliquid": "^1.7.7"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "ethers": "^6.9.0",
    "hyperliquid": "^1.7.7",
    "node-fetch": "^3.3.2",
    "ws": "^8.19.0"
  }
}
Confidence
93% confidence
Finding
"node-fetch": "^3.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"ethers": "^6.9.0",
    "hyperliquid": "^1.7.7",
    "node-fetch": "^3.3.2",
    "ws": "^8.19.0"
  }
}
Confidence
95% confidence
Finding
"ws": "^8.19.0"

Known Vulnerable Dependency: ws==8.19.0 — 2 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.19.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.