ClawHub

Byreal Perps CLI

v0.2.2

Byreal Hyperliquid perpetual futures trading CLI: account setup, market/limit orders with TP/SL, position close-market/close-limit/close-all, leverage contro...

0· 93·0 current·0 all-time
byJames333@ggg223399
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (byreal-perps-cli), and npm install (@byreal-io/byreal-perps-cli) are coherent for a trading CLI. No unrelated credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs only to install/use the CLI, run trading and signal commands, and provides network fallbacks and curl checks. It explicitly warns agents not to ask users to paste private keys and not to call bundled SDKs directly. It does not instruct reading unrelated system files or exfiltrating data.
Install Mechanism
Install spec uses a public npm package (@byreal-io/byreal-perps-cli) with global install. This is a normal delivery for a JS CLI but carries standard supply-chain risk (npm package integrity, typosquatting). The package homepage is a GitHub repo, which is a positive signal but should be verified.
Credentials
No environment variables or external credentials are declared; account initialization is done interactively and keys are stored locally per the docs. That is proportionate for a CLI that signs transactions locally. However, the claim that private keys 'never' leave the machine is asserted by the docs and not independently verified here.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill is internally consistent for a trading CLI, but take standard precautions before installing and using it with real funds: 1) Inspect the npm package and GitHub repo (maintainer, recent commits, issues) to confirm authenticity and that the package name isn't a typo-squat. 2) Review the package code (or request a third-party audit) to confirm key storage and networking behavior — SKILL.md's claim that private keys are never transmitted is not independently verified. 3) Prefer installing in an isolated environment/container and test on testnet (--testnet) with small amounts first. 4) Never paste private keys into chat; use the provided interactive account init. 5) Keep npm package versions pinned and verify package integrity (checksums/signatures) when possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqh4tas2vygbcv3qc5n5wqx83gxxp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbyreal-perps-cli

Install

Nodenpm i -g @byreal-io/byreal-perps-cli

Comments