supurr

This document is a command reference describing a trading-bot CLI that legitimately requires sensitive credentials (wallet address and private key) to sign actions (deploy, stop). The primary security issues are operational rather than evidence of intentional malware: storing raw private keys in ~/.supurr/credentials.json and offering command-line flags for private keys exposes secrets to local and process-level compromise. The 'update' command lacks details about trusted update sources and verification, which is an avoidable supply-chain risk. Network endpoints used (Hyperliquid API, Supurr API, trade.supurr.app) are consistent with the stated purpose, but any risk stems from credential storage, possible unverified updates, and exfiltration if the local credentials file is compromised. I find no explicit backdoor, obfuscated code, remote exec curl|bash patterns, or hardcoded attacker URLs in this documentation; the behavior is coherent with the stated purpose but carries moderate security risk due to secret handling and unspecified update mechanisms. Recommend: do not store private keys in plaintext; prefer hardware wallets or ephemeral signing, avoid passing secrets via CLI flags, restrict file permissions, and require signed/verified updates.