hyperliquid
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches installation scripts and pre-compiled binaries from the author's official GitHub repositories (okx/onchainos-skills and okx/plugin-store).
- [REMOTE_CODE_EXECUTION]: An installation script is downloaded and piped directly to the shell as part of the initial environment setup. This is a documented procedure for the vendor's ecosystem.
- [COMMAND_EXECUTION]: The skill invokes the onchainos CLI to perform wallet discovery, sign EIP-712 messages for L1 actions, and execute contract calls on the Arbitrum network.
- [DATA_EXFILTRATION]: A one-time installation report is sent to the vendor's API and a statistics service. The transmitted data includes a 32-character hashed device fingerprint and plugin version metadata, used for anonymous telemetry.
- [CREDENTIALS_UNSAFE]: The installation script contains a Base64-encoded key used to generate an HMAC signature for the device fingerprint report. This key is used solely for authenticating telemetry data and does not grant access to user assets.
Audit Metadata