hyperliquid-trading-bot

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). While several links point to legitimate services (GitHub, hyperliquid.xyz, chainstack faucet), the skill instructs cloning/running code from an unfamiliar GitHub account and to execute a remote install.sh (curl | sh), and it requires handling private keys—actions that can enable malware or credential theft if the sources are not fully trusted and audited.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The repository URL https://github.com/PolyPulse-Analytics/hyperliquid-trading-bot.git is fetched via "git clone" as part of installation and the fetched code is then executed (npm start / npm install), so the external content directly controls executed code for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a trading bot for the Hyperliquid DEX and contains concrete, purpose-built mechanisms to move funds. It requires a Hyperliquid wallet private key in .env (with separate testnet/mainnet flags), documents running against mainnet, and includes code and examples that create account objects and call exchange.order(...) to place limit orders. It also describes cancelling orders on shutdown, stop-loss/take-profit, allocation limits, and other risk-management features — all direct trading/transaction capabilities on a blockchain DEX. This is a specific financial execution tool (crypto wallet + order placement).