Hyperliquid
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent read-only Hyperliquid data helper, but it can display account financial data and save address aliases locally.
This looks reasonable for read-only Hyperliquid market and account lookups. Before installing, be aware that saved address aliases persist locally, account data may appear in chat, and custom endpoint environment variables should only point to services you trust. Because one supplied script was truncated in the artifact view, reviewing the complete script would provide stronger assurance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If your environment points the skill at a non-Hyperliquid URL, your read-only query details could be sent there.
The skill posts request bodies to a network endpoint, and that endpoint can be changed through an environment variable. This is purpose-aligned API plumbing, but an untrusted override could receive queried addresses or market request data.
const DEFAULT_URL = process.env.HYPERLIQUID_INFO_URL || "https://api.hyperliquid.xyz/info"; ... body: JSON.stringify(body)
Use the default Hyperliquid endpoint unless you intentionally trust a custom endpoint, and check that `HYPERLIQUID_INFO_URL` is not set unexpectedly.
Account positions, balances, orders, and fills may be displayed in chat when you provide or save an address.
The skill can retrieve account-related financial information for a supplied address. This is disclosed and read-only, with no private keys or trading authority shown.
Given an EVM address (master or sub-account), you can view: - Perp positions + margin summary - Spot balances - Open orders - Recent fills
Only query or save addresses whose portfolio information you are comfortable showing in the assistant conversation.
Saved labels and default addresses may be reused in later sessions, and anyone with local file access could view or modify them.
The skill persists address aliases and an optional default account locally for later reuse. This is disclosed, but persistent account labels can affect future queries.
Saved account aliases (stored locally in `~/.clawdbot/hyperliquid/config.json`)
Review or remove saved aliases if they are sensitive, and keep the local config file protected.