hyperliquid-trading-agent
v1.0.1Connects to Hyperliquid via wallet, fetches market data, enforces risk rules, sizes positions, places and monitors orders for perpetual futures trading.
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, manifest inputs, SKILL.md, README, and example code align: the package is an execution/risk layer that expects a host-provided authenticated Hyperliquid client and account state. No unrelated credentials, binaries, or external services are requested. Minor metadata inconsistencies exist (registry version 1.0.1 vs manifest version 1.2.0; registry slug 'hyperliquid-agent' vs manifest slug 'hyperliquid-execution-layer') but these are administrative and not security-critical.
Instruction Scope
SKILL.md instructions are narrowly scoped to validating signals, sizing positions, building order requests, and asking the host client to submit/confirm orders. The document explicitly forbids secret handling and requires the host to manage wallet/authentication. The skill asks to inspect market/account state (necessary for trading) and does not instruct reading unrelated system files or environment variables.
Install Mechanism
Instruction-only skill with no install spec and no file downloads. Example code is local and uses a mock client. No network-based installers or archive extraction are present.
Credentials
The skill requires host-supplied account state (balance, PnL, positions) and an authenticated client — these are sensitive but expected for a trading executor. No environment variables or secret inputs are requested by the skill itself. Ensure the host does not expose private keys or unredacted secrets when injecting the required objects.
Persistence & Privilege
always is false (no forced inclusion). disable-model-invocation is false (normal for skills that may be invoked by agents). The skill does not request persistent installation or modify other skills/config; no elevated platform privileges are requested.
Assessment
This package appears to be what it claims: a risk-aware execution layer that must be given an already-authenticated Hyperliquid client and account state. Before installing, ensure the runtime that will call this skill: (1) holds wallet keys and signs transactions (do not pass private keys into the skill inputs or prompts), (2) injects only the minimal necessary account/market objects (avoid embedding raw secrets or full key material), (3) logs and audits order submissions so you can trace actions, and (4) test the skill in a simulation/mock environment (like the provided example) before enabling it on live accounts. Also note the small manifest/registry metadata mismatches; prefer skills from a trusted publisher and verify the source if you plan to run this against real funds. If you do not want the agent to act autonomously, disable autonomous invocation in your host policy or require manual approval for executions.Like a lobster shell, security has layers — review code before you run it.
latestvk974j0b4wm1w2nb8wejhx9akdh83s4gq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.