Supurr Hyperliquid Algorithmic Trading

Backtest, deploy, and monitor trading bots on Hyperliquid. Supports Grid, DCA, and Spot-Perp Arbitrage strategies across Native Perps, Spot markets (USDC/USDH), and HIP-3 sub-DEXes.

What to consider before installing or running this skill: - Risk summary: The skill is consistent with a trading CLI (it legitimately needs wallet/API keys and will install a CLI), but its installer downloads and executes platform binaries from a custom domain (https://cli.supurr.app) using curl|bash — a high-risk pattern unless you trust and verify the publisher. - Verify the publisher: Inspect the GitHub repo referenced in the installer (https://github.com/Supurr-App/supurr_skill) and the cli.supurr.app domain. Confirm the release artifacts' integrity (checksums/signatures) before running the installer. - Avoid piping to bash blind: Prefer to review the install script before running. Instead of curl | bash, download the script, inspect it, and run it manually in a controlled environment. - Protect your keys: The tool expects you to provide an API wallet private key. Do NOT supply mainnet private keys or full-access keys to untrusted code. Use a dedicated subaccount, testnet keys, or a withdraw-only/hardware-wallet-backed approach where possible. - Test in isolation: Install and run the CLI inside a disposable VM, container, or sandbox first. Monitor network activity and file writes before trusting it with real funds. - Prefer manual installation: If possible, build from source or download signed releases from a well-known host (GitHub Releases with signatures) rather than an unsigned single-binary download from a custom domain. - Review persistence changes: The installer will add ~/.supurr/bin to your PATH and edit shell rc files; be prepared to remove those entries if you uninstall. - Operational advice: Use small amounts or testnet for initial deployments; use subaccounts/vaults to isolate funds; audit the CLI's behavior when executing deploy/stop commands. If you want, I can: (1) fetch and summarize the GitHub repo contents for additional inspection (if accessible), (2) highlight exact lines in the installer for easier review, or (3) propose safer manual install steps you can follow.

Type: OpenClaw Skill Name: supurr-hyperliquid Version: 1.0.0 The skill is classified as suspicious due to significant supply chain vulnerabilities inherent in its installation and update mechanisms. The `scripts/install.sh` and `scripts/skill-install.sh` download and execute binaries and scripts from `https://cli.supurr.app/releases` and `https://cli.supurr.app/install`. If the `cli.supurr.app` domain or its hosting infrastructure were compromised, an attacker could distribute malicious payloads, leading to arbitrary code execution on the user's system. While the skill's stated purpose of managing Hyperliquid trading bots is legitimate and its handling of API keys is explicitly documented as necessary for its function, the reliance on remote execution for installation and updates introduces a critical RCE risk without clear malicious intent from the provided code itself.