Pluginv1.0.10

ClawScan security

Hyperliquid Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 10:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a Hyperliquid trading tool, but there are inconsistencies around required binaries/install and the skill asks the user to provide a raw private key to the agent — these mismatches and the handling of secrets merit caution.
Guidance: This skill behaves like a normal CLI-driven trading tool but has a few red flags you should consider before installing or using it: - Confirm the perpgame-toolkit CLI: the SKILL.md expects a 'perpgame-toolkit' binary; verify where that CLI comes from (GitHub/npm publisher), inspect its code or releases, and only install it from a trusted source. - Avoid pasting private keys into chat: hl-setup instructs the agent to ask for your raw private key. If possible, use a safer import method (hardware wallet, WalletConnect, or have the CLI perform the import locally on your machine) rather than copying the key into the agent conversation. - Verify install path: package.json suggests an npm install path; the registry metadata omitted an install spec. If you install the npm package, audit what will be installed (check package contents and package-lock) before running it. - Test with minimal funds: before using trading/withdraw features with real funds, test workflows with a throwaway wallet or very small amounts to confirm behavior. - Check the CLI's storage claims: the SKILL.md states keys are AES-256-GCM encrypted by the CLI — ask for documentation or review the CLI code to confirm how and where keys are stored and who can access them. If you can't inspect the CLI or don't trust the publisher, do not provide your private key to the agent; prefer manual use of an audited local CLI or a hardware wallet integration.

Review Dimensions

Purpose & Capability: noteThe skill name/description (DEX trading, wallet setup, approve builder fee, trades) aligns with the runtime instructions which call a perpgame-toolkit CLI for wallet/trading operations. However, registry metadata claims no required binaries while each SKILL.md and skill metadata require the perpgame-toolkit CLI; package.json also lists an @perpgame/toolkit dependency and even an openclaw.install npmSpec. This inconsistency (no declared required binary vs per-skill requirement vs npm metadata) is unexplained.
Instruction Scope: noteThe SKILL.md files stay within trading/wallet scope (create/import wallet, onramp, approve builder fee, trade, balances). They explicitly instruct the agent to ask the user for a private key when importing a wallet and to run CLI commands via bash/exec. Requesting the private key is functionally necessary for wallet import, but it is sensitive and the SKILL.md's claim that the CLI 'never stores plaintext' is an assertion the skill doesn't prove; the agent receiving the key is an additional exposure point.
Install Mechanism: noteThe package appears to be instruction-only at runtime (index.mjs is a no-op) and there is no install spec in the registry entry. Yet package.json contains an openclaw.install.npmSpec and a dependency on @perpgame/toolkit; package-lock.json includes many downstream packages. That indicates the publisher intended an npm install path but the registry metadata omitted a clear install requirement — this mismatch increases uncertainty about what code would be pulled/installed if the user follows the package install route.
Credentials: noteNo environment variables or external credentials are declared, which is consistent with a CLI-based workflow. The real sensitive element is user-supplied secrets: the skill asks users to provide their private key (0x hex) to import a wallet. That is proportionate for a wallet-import feature, but it is high-risk: the agent (and any logs/tools it calls) would handle that secret. The SKILL.md claims encrypted storage by the CLI, but the agent-mediated transfer of the key remains an exposure.
Persistence & Privilege: okThe skill does not request always:true or elevated privileges. disable-model-invocation is false (normal), allowed-tools are bash/exec (required to run the CLI). The skill does not attempt to modify other skills or system-wide settings. No unusual persistence is requested.