← Back to Skills Marketplace
yashagarwal1994

Supurr Hyperliquid Algorithmic Trading

by yashagarwal1994 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
840
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install supurr-hyperliquid
Description
Backtest, deploy, and monitor trading bots on Hyperliquid. Supports Grid, DCA, and Spot-Perp Arbitrage strategies across Native Perps, Spot markets (USDC/USDH), and HIP-3 sub-DEXes.
Usage Guidance
What to consider before installing or running this skill: - Risk summary: The skill is consistent with a trading CLI (it legitimately needs wallet/API keys and will install a CLI), but its installer downloads and executes platform binaries from a custom domain (https://cli.supurr.app) using curl|bash — a high-risk pattern unless you trust and verify the publisher. - Verify the publisher: Inspect the GitHub repo referenced in the installer (https://github.com/Supurr-App/supurr_skill) and the cli.supurr.app domain. Confirm the release artifacts' integrity (checksums/signatures) before running the installer. - Avoid piping to bash blind: Prefer to review the install script before running. Instead of curl | bash, download the script, inspect it, and run it manually in a controlled environment. - Protect your keys: The tool expects you to provide an API wallet private key. Do NOT supply mainnet private keys or full-access keys to untrusted code. Use a dedicated subaccount, testnet keys, or a withdraw-only/hardware-wallet-backed approach where possible. - Test in isolation: Install and run the CLI inside a disposable VM, container, or sandbox first. Monitor network activity and file writes before trusting it with real funds. - Prefer manual installation: If possible, build from source or download signed releases from a well-known host (GitHub Releases with signatures) rather than an unsigned single-binary download from a custom domain. - Review persistence changes: The installer will add ~/.supurr/bin to your PATH and edit shell rc files; be prepared to remove those entries if you uninstall. - Operational advice: Use small amounts or testnet for initial deployments; use subaccounts/vaults to isolate funds; audit the CLI's behavior when executing deploy/stop commands. If you want, I can: (1) fetch and summarize the GitHub repo contents for additional inspection (if accessible), (2) highlight exact lines in the installer for easier review, or (3) propose safer manual install steps you can follow.
Capability Analysis
Type: OpenClaw Skill Name: supurr-hyperliquid Version: 1.0.0 The skill is classified as suspicious due to significant supply chain vulnerabilities inherent in its installation and update mechanisms. The `scripts/install.sh` and `scripts/skill-install.sh` download and execute binaries and scripts from `https://cli.supurr.app/releases` and `https://cli.supurr.app/install`. If the `cli.supurr.app` domain or its hosting infrastructure were compromised, an attacker could distribute malicious payloads, leading to arbitrary code execution on the user's system. While the skill's stated purpose of managing Hyperliquid trading bots is legitimate and its handling of API keys is explicitly documented as necessary for its function, the reliance on remote execution for installation and updates introduces a critical RCE risk without clear malicious intent from the provided code itself.
Capability Assessment
Purpose & Capability
The name, README, tutorials, and SKILL.md all describe a CLI for backtesting, deploying, and monitoring trading bots on Hyperliquid. The included installer scripts and CLI-installer behavior align with that purpose (installing a CLI, copying SKILL.md into agent skill dirs, adding a binary to ~/.supurr/bin). However the package source is listed as 'unknown' and the registry metadata does not declare required credentials even though the instructions clearly require wallet/API keys — a transparency gap.
Instruction Scope
The runtime instructions (SKILL.md) stay within the trading domain: generating configs, backtesting, deploying, and monitoring. They explicitly instruct the user to run 'supurr init' to store wallet address and an 'api-wallet' private key in ~/.supurr/credentials.json and reference ~/.supurr/configs/. Those file operations are expected for a trading CLI, but the instructions do ask you to store sensitive private keys locally (and to run deploy commands that will operate on real funds), so the agent/operator must be careful with key handling and privileges.
Install Mechanism
The included installers fetch code/binaries from https://cli.supurr.app (curl -fsSL | bash and direct downloads of platform binaries from cli.supurr.app/releases). This pattern (downloading and executing unsigned binaries from a custom domain) is high-risk unless you verify the provider and checksums. The skill also clones a GitHub repo (reasonable) and copies SKILL.md into many agent skill directories (aggressive but explainable). The use of platform-specific binary downloads (and optional bot engine binary) that are written to disk and made executable increases the attack surface.
Credentials
Functionally the CLI requires wallet credentials (an API wallet private key and wallet address) and will store them under ~/.supurr/credentials.json; the tutorials and SKILL.md repeatedly instruct the user to pass an API key/private key. Yet the registry metadata declares no required environment variables or primary credential. That mismatch (documentation expecting secrets but manifest declaring none) is an incoherence and a red flag: the skill expects sensitive credentials but does not declare them up front for the platform to surface. There are no requests for unrelated cloud credentials, however storing and handling of private keys is intrinsic to the tool and must be carefully controlled.
Persistence & Privilege
The installer modifies user shell rc to add ~/.supurr/bin to PATH and writes installers/binaries into the user's home directory — normal for a CLI. The skill-install script also copies SKILL.md into multiple agent skill directories to make the skill available across tools. These are standard persistence/installation behaviors for user-level CLIs and skills, not global system privilege escalation. Still, the installer will make changes to your shell profile and place executables in your home directory without further prompting, so review before running.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install supurr-hyperliquid
  3. After installation, invoke the skill by name or use /supurr-hyperliquid
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
supurr-hyperliquid 1.0.0 — Initial Release - Command-line tool to backtest, deploy, and monitor trading bots on Hyperliquid. - Supports Grid, DCA, and Spot-Perp Arbitrage strategies across Native Perps, Spot markets, and HIP-3 sub-DEXes. - Includes commands for initializing credentials, generating strategy configs, backtesting, live deployment, bot monitoring, and CLI updates. - Detailed configuration options for each strategy. - Provides quick reference table and complete CLI usage documentation.
Metadata
Slug supurr-hyperliquid
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Supurr Hyperliquid Algorithmic Trading?

Backtest, deploy, and monitor trading bots on Hyperliquid. Supports Grid, DCA, and Spot-Perp Arbitrage strategies across Native Perps, Spot markets (USDC/USDH), and HIP-3 sub-DEXes. It is an AI Agent Skill for Claude Code / OpenClaw, with 840 downloads so far.

How do I install Supurr Hyperliquid Algorithmic Trading?

Run "/install supurr-hyperliquid" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Supurr Hyperliquid Algorithmic Trading free?

Yes, Supurr Hyperliquid Algorithmic Trading is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Supurr Hyperliquid Algorithmic Trading support?

Supurr Hyperliquid Algorithmic Trading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Supurr Hyperliquid Algorithmic Trading?

It is built and maintained by yashagarwal1994 (@yashagarwal1994); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments