hyperliquid

[Skill Scanner] Installation of third-party script detected The skill's stated purpose (Hyperliquid trading and monitoring) matches its requested capabilities (read-only via address, trading via private key). There is no direct evidence of malicious code in this skill document, but significant supply-chain and credential-handling risks exist: the runtime scripts (not included) and npm dependencies could exfiltrate secrets or call non-official endpoints, and the guidance to put raw private keys in environment variables is high-risk. Before trusting and running the skill, reviewers should inspect scripts/hyperliquid.mjs and its dependencies for network endpoints, logging of environment variables, and unsafe code; prefer hardware signing or ephemeral key handling and pin/check dependency integrity. LLM verification: Based on the provided skill documentation alone, the skill is coherent with its stated purpose and requests appropriate credentials for its functionality. The primary security concern is the use of a raw private key in an environment variable — a sensitive, high-privilege secret that must be protected. Because the actual implementation files and network endpoints are not provided, there remains an unresolved risk: the implementation could (maliciously or accidentally) exfiltrate credentials or r