hyperliquid
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill identifies and processes natural language user requests (e.g., "store this address...") to trigger actions. Without explicit boundary markers or a robust sanitization layer mentioned, it is vulnerable to indirect prompt injection where an attacker could embed instructions in data processed by the agent.
- Ingestion points: User-provided natural language strings and account labels/addresses.
- Boundary markers: Absent. The documentation does not describe any delimiting or 'ignore instruction' protocols for user input.
- Capability inventory: Execution of Node.js scripts via shell (
node skills/hyperliquid/scripts/hyperliquid_chat.mjs), network POST requests toapi.hyperliquid.xyz, and reading/writing local configuration files (~/.clawdbot/hyperliquid/config.json). - Sanitization: Unverifiable. The description relies on 'natural-language requests and deterministic command parsing' without specifying safety guardrails.
- COMMAND_EXECUTION (HIGH): The documentation explicitly instructs the agent to execute shell commands using
nodeand pass user-derived strings as arguments. This is a classic command/argument injection vector if the underlying script (hyperliquid_chat.mjs) does not perfectly escape shell meta-characters. - DATA_EXPOSURE (MEDIUM): The skill manages a local database of account aliases and addresses in
~/.clawdbot/hyperliquid/config.json. While these are public blockchain addresses, the management of this data via an LLM-driven shell script introduces risks of unauthorized data modification or exposure if the agent is manipulated into revealing the full file content.
Recommendations
- AI detected serious security threats
Audit Metadata