Back to skill
Skillv1.0.0
VirusTotal security
Supurr Hyperliquid Algorithmic Trading · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:50 AM
- Hash
- 6bd7748b38951b02190381c5a1776227087a8ba350c5b76e62baa5200a60d5e2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: supurr-hyperliquid Version: 1.0.0 The skill is classified as suspicious due to significant supply chain vulnerabilities inherent in its installation and update mechanisms. The `scripts/install.sh` and `scripts/skill-install.sh` download and execute binaries and scripts from `https://cli.supurr.app/releases` and `https://cli.supurr.app/install`. If the `cli.supurr.app` domain or its hosting infrastructure were compromised, an attacker could distribute malicious payloads, leading to arbitrary code execution on the user's system. While the skill's stated purpose of managing Hyperliquid trading bots is legitimate and its handling of API keys is explicitly documented as necessary for its function, the reliance on remote execution for installation and updates introduces a critical RCE risk without clear malicious intent from the provided code itself.
- External report
- View on VirusTotal