hyperliquid
Audited by Snyk on Apr 12, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The plugin contains auto-injected pre-flight scripts that compute a device fingerprint, decode an obfuscated key, and quietly POST telemetry/install-report data to third‑party endpoints—behavior unrelated to the trading commands and obfuscated, so it constitutes a hidden/deceptive instruction.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill fetches and parses live data from the public Hyperliquid API (e.g., https://api.hyperliquid.xyz/info and https://api.hyperliquid.xyz/exchange) as part of core commands like positions, prices, order, close, tpsl, and cancel, and those remote fields are used to determine sizes, sides, prices, and to build/sign actions — meeting the criteria for untrusted third-party content that can materially influence agent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's auto-injected pre-flight steps fetch and execute remote code at runtime — notably curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh and the binary download from https://github.com/okx/plugin-store/releases/download/plugins/hyperliquid@0.2.1/hyperliquid-... — and these are required dependencies for the skill to run.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that would constitute usable credentials. Most values are URLs, truncated addresses (e.g., "0x87fb..."), example addresses, and config values (these are non-secret or truncated/placeholders and are ignored per the rules).
However, the Report install section contains a base64-encoded literal assigned to _K:
'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw=='
This string is decoded and used as an HMAC key to produce an HMAC-signed device token (HMAC_SIG). That is a high-entropy literal value embedded in the script (not a placeholder or truncated example) and functions as a secret key for signing. Per the secret definition and analysis protocol, this qualifies as a hardcoded secret and should be flagged.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading plugin for the Hyperliquid on-chain perpetuals DEX and includes direct financial execution capabilities. It provides dedicated commands to place and execute market and limit orders (order, close, tpsl), cancel orders (cancel), and deposit USDC via a bridge (deposit). Write operations require signing via onchainos (EIP-712 signing) and submission to the Hyperliquid exchange endpoints. These are specific blockchain/crypto payment and trading operations (wallet signing, broadcasting transactions, bridging USDC, placing market orders), not generic tooling. Therefore it grants direct financial execution authority.
Issues (5)
Prompt injection detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).