Skills
skills/supurr-app/hyperliquid-supurr-skill/hyperliquid-supurr/Gen Agent Trust Hub

hyperliquid-supurr

Pass

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: SAFECREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill manages Hyperliquid API wallet private keys via the supurr init command. These credentials are required for transaction signing and are stored locally in the ~/.supurr/credentials.json file. This behavior is standard for non-custodial trading applications.
  • [REMOTE_CODE_EXECUTION]: The README and installation scripts provide commands that pipe remote scripts to bash (curl -fsSL https://cli.supurr.app/install | bash). These endpoints are controlled by the skill author (supurr-app) and are used to install the CLI and engine binaries.
  • [EXTERNAL_DOWNLOADS]: The install.sh script downloads platform-specific binaries for the CLI and the backtest engine from https://cli.supurr.app/releases. This is the primary distribution method for the tool.
  • [COMMAND_EXECUTION]: The skill facilitates a development workflow that executes cargo build to compile custom strategies from source and runs the resulting binaries for local testing and deployment.
  • [COMMAND_EXECUTION]: The installer script modifies system shell configuration files (such as .zshrc or .bashrc) to append the ~/.supurr/bin directory to the user's PATH environment variable, ensuring the supurr command is globally available.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 16, 2026, 07:28 PM