ClawHub

Open-broker

v1.0.80

Hyperliquid trading plugin with background position monitoring and custom automations. Execute market orders, limit orders, manage positions, view funding ra...

8· 2.7k·4 current·4 all-time
by@ya7ya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary 'openbroker', and the primary env var HYPERLIQUID_PRIVATE_KEY are coherent for a Hyperliquid trading CLI. The declared npm install (openbroker) matches the needed binary. There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md instructs the agent to run openbroker CLI commands (setup, buy, sell, search, etc.) and to use CLI fallback when plugin tools fail — this is consistent with a CLI-based trading skill. It also describes generating wallets and saving CLI config locally; that implies the skill will write wallet/config files and may create a wallet for the agent. The doc does not ask the agent to read unrelated system files or external secrets beyond the declared private key.
Install Mechanism
Install spec uses the npm registry package 'openbroker' and creates the openbroker binary. npm installs are expected for Node CLI tools but are a moderate supply-chain risk; no arbitrary downloads or untrusted URLs are used.
Credentials
Only HYPERLIQUID_PRIVATE_KEY is required, which is appropriate for a trading CLI. However, a private key is a highly sensitive secret — depending on the wallet type it could permit trading and/or withdrawals. The skill mentions API wallets (restricted) and fresh wallets (recommended), so protecting which key you provide is critical.
Persistence & Privilege
always is false and the skill does not request system-wide config changes or other skills' credentials. The CLI will save its own config and wallets locally (expected). Note: with the private key present the agent could autonomously place trades (normal for a trading skill), so limit the key's privileges and funds if you enable autonomous invocation.
Assessment
This skill appears to do what it says, but before installing: (1) only provide a private key that has the minimal permissions you need (prefer an API/restricted key that cannot withdraw); (2) consider generating a fresh, funded test wallet and keep real funds minimal while testing; (3) review the openbroker npm package source (or pin a vetted version) because npm packages can carry supply-chain risk; (4) use --dry and --json previews and enable logging/alerts so the agent cannot execute unexpected live trades; (5) if you are uncomfortable giving an automated agent any private key, do not set HYPERLIQUID_PRIVATE_KEY in an environment the agent can access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754jfv9mzapwr7n4wp0fe7c9842svn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsopenbroker
EnvHYPERLIQUID_PRIVATE_KEY
Primary envHYPERLIQUID_PRIVATE_KEY

Install

Install openbroker (npm)
Bins: openbroker
npm i -g openbroker

Comments