dapp-hyperliquid
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill mandates the execution of a remote script through the command 'curl -sSL https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh | sh', which allows arbitrary code to run with user privileges without integrity verification.
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes code from a non-trusted personal GitHub account ('purong-huang-1121') while the metadata claims the author is 'okx', indicating a high risk of supply-chain attack or impersonation.
- [COMMAND_EXECUTION]: The core functionality depends on executing unverified shell commands and scripts derived from remote sources, bypassing standard software verification processes.
- [CREDENTIALS_UNSAFE]: The skill instructions prompt users to store their 'EVM_PRIVATE_KEY' in a local configuration file. Combined with the unverified remote code execution capability, this creates a critical vulnerability where private keys can be easily stolen.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata