ClawHub

Hyperliquid Analyzer

v1.0.0

Analyze Hyperliquid market data and provide trading insights. Real-time price monitoring, trend analysis, and risk assessment.

0· 589·1 current·1 all-time
by@b0on
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Hyperliquid market analysis) align with the provided curl calls to api.hyperliquid.xyz and use of curl/jq. However, registry metadata declares HYPERLIQUID_WALLET_ADDRESS as the primary credential while SKILL.md marks the wallet address as optional and also mentions an optional HYPERLIQUID_API_KEY that is not declared in the registry — an inconsistency in declared vs. documented credentials.
!
Instruction Scope
Runtime instructions are limited to calling api.hyperliquid.xyz and parsing JSON with jq (no filesystem or unrelated env access). But portfolio tracking implies the agent may transmit the provided wallet address (privacy-sensitive) to the external API; SKILL.md doesn't explain exactly how the wallet address is used or whether other user data will be sent. The note about 'data refreshes every 5 seconds' implies frequent polling which could leak activity or hit rate limits.
Install Mechanism
Instruction-only skill with no install steps and only requires standard CLI tools (curl, jq). This minimizes disk-write/remote-executable risk.
!
Credentials
The skill declares a primaryEnv HYPERLIQUID_WALLET_ADDRESS but lists no required.env in registry; SKILL.md also documents an optional HYPERLIQUID_API_KEY that was not declared. Wallet addresses are not secret keys but are privacy-sensitive and can be linked to on-chain activity; the skill requesting a wallet address without clearly documenting how it is used or protected is disproportionate without more detail.
Persistence & Privilege
No always:true, no installs, and model invocation is allowed (the platform default). The skill does not request elevated persistence or modify other skills/configs.
What to consider before installing
This skill appears to do what it says (calls Hyperliquid API and parses results), but there are several things to check before installing: - Source and provenance: There is no homepage or source. Ask the publisher for a repository or documentation so you can inspect what will be called and how data is handled. - Wallet privacy: The skill asks for a wallet address (declared as primaryEnv). A wallet address is not a secret key but can be used to fetch on-chain holdings and link activity to you. Only provide it if you trust api.hyperliquid.xyz and the skill owner. - Missing API key declaration: SKILL.md mentions HYPERLIQUID_API_KEY as optional but it is not declared in the registry metadata. If you plan to use an API key, insist it be declared and scoped with least privilege. - Network behavior & polling: The notes on 5-second refreshes imply frequent outbound requests. If you allow autonomous invocation, consider the privacy and rate-limit implications; consider limiting autonomous runs or disabling autonomous invocation until you verify behavior. - Verify endpoints manually: Run the provided curl commands yourself to inspect responses and ensure no unexpected data exchange happens before granting any env vars. Given these inconsistencies and privacy implications, proceed cautiously: request source code or a homepage, confirm how the wallet address is used/stored/transmitted, and avoid putting sensitive credentials into the environment until you can verify the implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f1jy0tgk8ea3hh1939kth2h8188sy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binscurl, jq
Primary envHYPERLIQUID_WALLET_ADDRESS

Comments