ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hyperliquid Trading & Analysis

Trade and monitor Hyperliquid perpetual futures. Check balances, view positions with P&L, place/cancel orders, execute market trades. Use when the user asks about Hyperliquid trading, portfolio status, crypto positions, or wants to execute trades on Hyperliquid.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
19 · 5.7k · 40 current installs · 41 all-time installs
byAna@anajuliabit
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, README, SKILL.md and code implement a Hyperliquid trading/monitoring CLI using the official SDK and CoinGecko — that aligns with the stated purpose. However, the registry metadata declares no required environment variables or primary credential even though the skill clearly needs HYPERLIQUID_PRIVATE_KEY (for trading) and HYPERLIQUID_ADDRESS (for read-only queries). This metadata mismatch is unexpected and reduces transparency.
!
Instruction Scope
SKILL.md instructs users to set environment variables (private key/address) and to run npm install in the scripts folder — expected for a CLI. But one script (scripts/check-positions.mjs) reads and writes a hardcoded absolute file path (/home/ana/clawd/trading-state.json). That file I/O is unrelated to core trading functionality, uses an absolute path tied to a developer's environment, and could overwrite local files if present. The skill also instructs storing private keys in env vars (common but sensitive) and will sign/send orders autonomously when invoked.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs running 'npm install' in the scripts directory. Dependencies are standard packages from the npm registry (hyperliquid, ethers, node-fetch). This is typical but still carries the usual supply-chain risks of installing third-party npm packages; there are no remote downloads from untrusted URLs or archive extracts.
!
Credentials
Trading requires HYPERLIQUID_PRIVATE_KEY and read operations use HYPERLIQUID_ADDRESS; those are reasonable for this skill. The problem is the registry metadata advertises no required env vars or primary credential — so the skill's secret needs are not declared centrally. That mismatch reduces visibility and increases the chance a user may unknowingly expose a private key. The skill also supports testnet via HYPERLIQUID_TESTNET, which is fine.
!
Persistence & Privilege
The skill is not marked 'always', and model invocation is allowed (platform default). Because the skill can execute signed trades when a private key is available, autonomous invocation increases blast radius: if the agent is allowed to call the skill without per-invocation confirmation and the private key is present in the environment, it could place/cancel orders. The hardcoded state file path represents persistent local effects (writes to disk) that are outside the minimal expected scope.
What to consider before installing
This skill appears to implement a legitimate Hyperliquid trading CLI, but take these precautions before installing or giving it secrets: 1) Don't put your main private key in the system-wide environment for the agent — use a dedicated, ephemeral key or a vault and test first on testnet. 2) Inspect or run the code in an isolated environment (container/VM) because it will install npm packages and the scripts write to a hardcoded path (/home/ana/clawd/trading-state.json) which could overwrite local files. 3) Prefer running read-only operations first (set only HYPERLIQUID_ADDRESS) and verify outputs. 4) Ask the publisher to update registry metadata to declare HYPERLIQUID_PRIVATE_KEY and HYPERLIQUID_ADDRESS as required so tools and reviewers can see secret requirements up-front. 5) If you want to use the skill, consider running it with restricted filesystem permissions and without enabling autonomous invocation, or require explicit user confirmation before any trade-executing calls.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9717r9pegfaft0fy5ktpf2ewn80013k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Hyperliquid Trading Skill

Full trading and portfolio management for Hyperliquid perpetual futures exchange.

Prerequisites

Install dependencies once:

cd skills/hyperliquid/scripts && npm install

Authentication

For read-only operations (balance, positions, prices):

  • Set HYPERLIQUID_ADDRESS environment variable
  • No private key needed

For trading operations:

  • Set HYPERLIQUID_PRIVATE_KEY environment variable
  • Address derived automatically from private key

Testnet:

  • Set HYPERLIQUID_TESTNET=1 to use testnet

Core Operations

Portfolio Monitoring

Check balance:

HYPERLIQUID_ADDRESS=0x... node scripts/hyperliquid.mjs balance

View positions with P&L:

HYPERLIQUID_ADDRESS=0x... node scripts/hyperliquid.mjs positions

Check open orders:

HYPERLIQUID_ADDRESS=0x... node scripts/hyperliquid.mjs orders

View trade history:

HYPERLIQUID_ADDRESS=0x... node scripts/hyperliquid.mjs fills

Get price for a coin:

node scripts/hyperliquid.mjs price BTC

Trading Operations

All trading commands require HYPERLIQUID_PRIVATE_KEY.

Place limit orders:

# Buy 0.1 BTC at $45,000
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs buy BTC 0.1 45000

# Sell 1 ETH at $3,000
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs sell ETH 1 3000

Market orders (with 5% slippage protection):

# Market buy 0.5 BTC
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs market-buy BTC 0.5

# Market sell 2 ETH
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs market-sell ETH 2

Cancel orders:

# Cancel specific order
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs cancel BTC 12345

# Cancel all orders
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs cancel-all

# Cancel all orders for specific coin
HYPERLIQUID_PRIVATE_KEY=0x... node scripts/hyperliquid.mjs cancel-all BTC

Output Formatting

All commands output JSON. Parse and format for chat display:

For balance/portfolio:

  • Show total equity, available balance
  • List positions with size, entry price, unrealized P&L
  • Summarize open orders

For trade execution:

  • Confirm order details before executing
  • Report order ID and status after execution
  • Show filled price if immediately executed

Safety Guidelines

Before executing trades:

  1. Confirm trade parameters with user (coin, size, direction, price)
  2. Show current price and position for context
  3. Calculate estimated cost/proceeds

Position sizing:

  • Warn if trade is >20% of account equity
  • Suggest appropriate sizes based on account balance

Price checks:

  • For limit orders, compare limit price to current market price
  • Warn if limit price is >5% away from market (likely mistake)

Error Handling

Common errors:

  • "Address required" → Set HYPERLIQUID_ADDRESS or HYPERLIQUID_PRIVATE_KEY
  • "Private key required" → Trading needs HYPERLIQUID_PRIVATE_KEY
  • "Unknown coin" → Check available coins with meta command
  • HTTP errors → Check network connection and API status

When errors occur:

  • Show the error message to user
  • Suggest fixes (set env vars, check coin names, verify balance)
  • Don't retry trades automatically

Workflow Examples

"How's my Hyperliquid portfolio?"

  1. Run balance to get total equity
  2. Run positions to get open positions
  3. Format summary: equity, positions with P&L, total unrealized P&L

"Buy 0.5 BTC on Hyperliquid"

  1. Run price BTC to get current price
  2. Run balance to verify sufficient funds
  3. Confirm with user: "Buy 0.5 BTC at market? Current price: $X. Estimated cost: $Y"
  4. Execute market-buy BTC 0.5
  5. Report order result

"What's the current BTC price on Hyperliquid?"

  1. Run price BTC
  2. Format response: "BTC: $X on Hyperliquid"

"Close my ETH position"

  1. Run positions to get current ETH position size
  2. If long → market-sell, if short → market-buy
  3. Execute with position size
  4. Report result

Advanced Features

List all available coins:

node scripts/hyperliquid.mjs meta

Query other addresses:

# Check someone else's positions (read-only, public data)
node scripts/hyperliquid.mjs positions 0x1234...

Notes

  • All sizes are in base currency (BTC, ETH, etc.)
  • Prices are in USD
  • Market orders use limit orders with 5% slippage protection
  • Hyperliquid uses perpetual futures, not spot trading
  • Check references/api.md for full API documentation

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…