ClawHub

Hyperliquid

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Hyperliquid data helper; it can show account information and save local address aliases, but I found no trading, credential theft, hidden execution, or exfiltration behavior.

Install only if you are comfortable with wallet addresses, positions, balances, orders, and fills appearing in chat when requested. Review saved aliases in `~/.clawdbot/hyperliquid/config.json`, avoid storing sensitive labels on shared machines, and leave `HYPERLIQUID_INFO_URL` unset unless you intentionally trust the replacement endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and description present the skill as a read-only market-data assistant, but the documented behavior also includes account-specific queries and local alias storage. This mismatch can mislead users and policy systems about the skill’s true capabilities, reducing informed consent and potentially exposing sensitive wallet/account identifiers through unexpected local persistence and account lookups.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Labeling the skill as 'read-only' while documenting writes to ~/.clawdbot/hyperliquid/config.json is a capability misrepresentation. Even if the writes are only local config changes, users and automated reviewers may trust the skill more than warranted, leading to unexpected persistence of sensitive account labels and addresses.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file exposes account-oriented read APIs such as clearinghouseState, spotClearinghouseState, openOrders, and userFills even though the skill is described as a market-data assistant. This expands the data-access scope from public market information to user-specific portfolio and trading activity, which can leak sensitive financial information if an agent is induced to query arbitrary wallet addresses.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Retrieving user account state, open orders, and fills is not justified by the stated purpose of a read-only market data assistant. In context, this creates a privacy and scope-creep issue: a user may reasonably expect only public market lookups, while the code can also fetch identifiable trading activity for supplied accounts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata presents this as a read-only market-data assistant, but the code also supports account-related intents such as positions, balances, orders, fills, and account alias management. This expands the data-access scope beyond what users and orchestrators may expect, creating a trust and privacy boundary violation even if no on-chain writes occur.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The command handler performs local state-changing operations (`add`, `remove`, `default`) on saved account configuration despite the skill being described as read-only. In an agent environment, this can mislead reviewers and users into approving a skill that silently mutates local state, enabling persistence, account relabeling, or tampering with future account resolution behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The imported configuration functions introduce local account-book management capabilities that are unrelated to a narrow market-data role. This increases attack surface and enables storage and later retrieval of sensitive account references, making the skill more dangerous in context because users would reasonably expect only public market queries.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The inline comment describes the account block as 'read-only' while the same block implements mutating operations that change saved configuration. Misleading code comments can cause human reviewers and automated policy checks to underestimate risk, especially in an agent skill ecosystem where declared intent and implementation must match closely.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file persists per-user account aliases and a default account to disk under the user's home directory, which introduces stateful handling of user-linked wallet identifiers in a skill described as read-only market data. Even though the stored values are only addresses and labels, this expands the privacy and security footprint of the skill and creates an unexpected persistence mechanism that could later be abused by other code paths to act on or reveal a user's preferred account context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code implements account/address management features—alias creation, deletion, default selection, and account resolution—that are not necessary for fetching public Hyperliquid market data. In a supposedly read-only skill, this hidden identity-management capability increases surprise, broadens the attack surface, and could facilitate user tracking, misrouting of later account-specific queries, or future privilege creep if additional account-aware features are added.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad natural-language activation with fallback intent extraction can cause the skill to trigger on ambiguous user text, leading to unintended external requests or account lookups. In this context, the danger is elevated because the skill can query account-related data and use saved aliases, so accidental invocation may expose financial information or create confusing side effects.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Account alias add/remove/default commands modify persistent saved configuration immediately, without confirmation, preview, or warning. In a conversational interface, ambiguous prompts or prompt-injection-influenced routing could cause unintended state changes that alter which account is used by future queries or erase saved mappings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal