[new-plugin] ligoudan-btc-hype v0.1.0

[jonedy]

Summary

New strategy skill: ligoudan-btc-hype — BTC 囤币 + HYPE 理财.

A long-only BTC perpetual grid on Hyperliquid trading the $70k–$90k range with
8x
leverage. Realized grid profits accumulate and auto-compound into 2x HYPE perp
longs
with built-in SL (-15%) / TP (+30%) protection.

Category & Dependencies

• category: strategy
• dependent_plugin: hyperliquid-plugin ^0.3.9
• All write operations (order, close, order-batch, cancel-batch,
  tpsl)
  include --strategy-id ligoudan-btc-hype for attribution.

Commands

Command	Purpose
init	Bootstrap 10-cell grid between $70k and $90k
status	Read-only snapshot of fills, PnL, HYPE compound position
rebalance	Re-arm filled cells and place take-profit sells
compound	Reinvest realized profit into HYPE 2x longs
shutdown	Cancel all grid orders and optionally close positions

Risk Tier: advanced

This skill opens leveraged positions automatically and meets the advanced-tier
requirements:

• Dry-run preview on every init, compound, and shutdown write
• Stop-loss mandatory on every HYPE compound position
• Hard cap on total HYPE compound notional ($5,000 default)
• Explicit disclaimer in SKILL.md (§ Security Notices)
• --strategy-id attribution on every write for audit

Liquidation math: aggregate P_liq ≈ 80,612 − capital_usdc / (9.8 × size_btc).
With default params (capital $30k, size 0.0015 BTC), P_liq ≈ $60,572, ~10k
below
the grid floor.

Checklist

• plugin.yaml, .claude-plugin/plugin.json, SKILL.md, SUMMARY.md, LICENSE
  present
• name follows naming rules (lowercase/hyphens, 18 chars, no okx-
  prefix)
• version 0.1.0 consistent across all three files
• author.github matches PR submitter (jonedy)
• No hardcoded keys, credentials, or pre-compiled binaries
• SKILL.md includes all required sections
• SUMMARY.md includes Overview / Prerequisites / Quick Start
• All write operations carry --strategy-id ligoudan-btc-hype
• Risk level declared as advanced with corresponding safeguards

[github-actions]

✅ Phase 1: Structure Validation — PASSED

Linting skills/ligoudan-btc-hype...


✓ Plugin 'ligoudan-btc-hype' passed all checks!

→ Proceeding to Phase 2: Build Verification

[github-actions]

📋 Phase 3: AI Code Review Report — Score: 87/100

Plugin: ligoudan-btc-hype | Recommendation: ✅ Ready to merge

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: claude-opus-4-7 via Anthropic API | Cost: ~308214+7784 tokens

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

1. Plugin Overview

Field	Value
Name	ligoudan-btc-hype
Version	0.1.0
Category	strategy
Author	ligoudan (jonedy)
License	MIT
Has Binary	No (Skill only)
Risk Level	🔴 High Risk (advanced — 8x leveraged perp grid + 2x compound longs)

Summary: A Hyperliquid strategy plugin that runs a 10-cell BTC perpetual grid between $70k–$90k with 8x leverage, and automatically compounds realized grid profits (≥$50) into 2x HYPE long positions with -15% SL / +30% TP protection. All write operations are delegated to hyperliquid-plugin with strategy-id attribution.

Target Users: Advanced DeFi users comfortable with leveraged perpetual futures on Hyperliquid who want automated BTC range trading plus slow HYPE accumulation. Not for beginners — requires ~$30,000 USDC collateral.

2. Architecture Analysis

Components:
Skill only (no binary). components.skill.dir: ".".

Skill Structure:
SKILL.md includes Overview, Pre-flight Checks (5 checks), Configuration (parameter table with defaults), Commands (init / status / rebalance / compound / shutdown), Error Handling (8 error codes), Security Notices (advanced-tier risk disclosures). ~6 commands documented; no reference docs directory.

Data Flow:

1. Reads market data via onchainos hyperliquid prices --coin BTC/HYPE
2. Reads position/order state via onchainos hyperliquid positions and orders
3. Writes grid orders via onchainos hyperliquid order-batch/order/tpsl/cancel-batch/close
4. Persists strategy state to $HOME/.local/share/ligoudan-btc-hype/state.json (realized profit, cell status, compound history)
5. All writes include --strategy-id ligoudan-btc-hype --confirm for attribution

Dependencies:

• hyperliquid-plugin (^0.3.9) — mandatory dependent plugin for all on-chain writes
• Hyperliquid L1 (perp trading venue)
• Arbitrum (USDC bridge source)

3. Auto-Detected Permissions

onchainos Commands Used

Command Found	Exists in onchainos CLI	Risk Level	Context
onchainos hyperliquid register	❌ Not in core onchainos CLI (provided by hyperliquid-plugin)	Low	Pre-flight check
onchainos hyperliquid address --all	❌ Plugin-provided	Low	Pre-flight check
onchainos hyperliquid prices	❌ Plugin-provided	Low	Read mid price
onchainos hyperliquid deposit	❌ Plugin-provided	High	Bridge USDC
onchainos hyperliquid positions	❌ Plugin-provided	Low	Read-only
onchainos hyperliquid orders	❌ Plugin-provided	Low	Read-only
onchainos hyperliquid order-batch	❌ Plugin-provided	High	Write — batch order placement
onchainos hyperliquid order	❌ Plugin-provided	High	Write — single order
onchainos hyperliquid tpsl	❌ Plugin-provided	High	Write — SL/TP attach
onchainos hyperliquid cancel-batch	❌ Plugin-provided	Medium	Write — cancel orders
onchainos hyperliquid close	❌ Plugin-provided	High	Write — market close
onchainos leaderboard	✅ Exists in core CLI	Low	Mentioned for audit attribution

Note: All hyperliquid subcommands are provided by the declared hyperliquid-plugin dependency, NOT by core onchainos CLI. This is correct design for a strategy plugin.

Wallet Operations

Operation	Detected?	Where	Risk
Read balance	Yes	Pre-flight step 3 (hyperliquid address --all)	Low
Send transaction	Yes (delegated)	init / rebalance / compound / shutdown	High
Sign message	Yes (delegated to hyperliquid-plugin)	All write ops	High
Contract call	Yes (delegated)	order/order-batch/tpsl/close	High

External APIs / URLs

URL / Domain	Purpose	Risk
(none detected in SKILL.md)	—	—

No direct external URLs, RPC endpoints, or third-party APIs referenced. All network traffic flows through the hyperliquid-plugin dependency.

Chains Operated On

• Hyperliquid L1 — perp trading execution (BTC, HYPE)
• Arbitrum — USDC source for deposits (mentioned in prerequisites)

Overall Permission Summary

This plugin is a trading orchestration layer. It does not connect directly to chains or wallets; instead it delegates all signing/broadcasting to hyperliquid-plugin. Capabilities include: placing batch perp orders (8x leverage BTC longs), placing single compound orders (2x HYPE longs), attaching SL/TP, cancelling orders, and market-closing positions. It can commit up to $30,000+ USDC of user capital in leveraged positions and compound up to $5,000 additional HYPE exposure. No credential access, no file system access beyond state.json. Correctly enforces --strategy-id and --confirm on every write. The primary risk is financial (liquidation at ~$60.5k BTC), not technical.

4. onchainos API Compliance

Does this plugin use onchainos CLI for all on-chain write operations?

Yes — via the declared hyperliquid-plugin which extends the onchainos CLI. This is the correct pattern for strategy plugins.

On-Chain Write Operations (MUST use onchainos)

Operation	Uses onchainos?	Self-implements?	Detail
Wallet signing	✅	No	Delegated to hyperliquid-plugin
Transaction broadcasting	✅	No	Delegated
DEX swap execution	N/A	No	Not a DEX plugin
Token approval	N/A	No	Not needed for Hyperliquid perps
Contract calls	✅	No	Delegated via order/order-batch/tpsl/close
Token transfers	✅	No	Delegated via deposit

Data Queries (allowed to use external sources)

Data Source	API/Service Used	Purpose
onchainos hyperliquid prices	Hyperliquid API (via plugin)	BTC/HYPE mid price
onchainos hyperliquid positions	Hyperliquid API (via plugin)	Position state
onchainos hyperliquid orders	Hyperliquid API (via plugin)	Open orders

External APIs / Libraries Detected

None directly. All external I/O flows through hyperliquid-plugin.

Verdict: ✅ Fully Compliant

The plugin correctly treats itself as an orchestration layer with zero direct wallet/chain access. Every write operation is delegated to the declared dependent plugin with proper attribution flags.

5. Security Assessment

Static Rule Scan (C01-C09, H01-H09, M01-M08, L01-L02)

Rule ID	Severity	Title	Matched?	Detail
M01	MEDIUM	supply-chain-unpinned	⚠️	SKILL.md contains npx skills add okx/plugin-store --skill hyperliquid-plugin (no version pin). However, this pattern is referenced as a remediation instruction inside the plugin store ecosystem, and dependent_plugin declares ^0.3.9. Low-severity, informational.
M07	MEDIUM	missing-untrusted-data-boundary	❌	SKILL.md does not process raw third-party CLI/API output fields that could be injected (no token name/symbol rendering from external sources). Data consumed is numeric (prices, sizes) from trusted hyperliquid-plugin. Not applicable.
All other rules (C01-C09, H01-H09, M02-M06, M08, L01-L02)	—	—	❌	No matches. No curl|sh, no hardcoded secrets, no credential access, no persistence, no network exfiltration patterns, no prompt injection artifacts, no resource exhaustion, no dynamic code execution.

LLM Judge Analysis (L-PINJ, L-MALI, L-MEMA, L-IINJ, L-AEXE, L-FINA, L-FISO)

Judge	Severity	Detected	Confidence	Evidence
L-PINJ (Prompt Injection)	CRITICAL	❌	0.95	No hidden instructions, no role reassignment, no CLI param injection. User input is not interpolated into shell.
L-MALI (Malicious Intent)	CRITICAL	❌	0.90	Declared behavior (leveraged grid + compound) matches implementation intent. No hidden data exfiltration or deceptive functionality.
L-MEMA (Memory Poisoning)	HIGH	❌	0.95	No writes to MEMORY.md, SOUL.md, .claude/memory/, or ~/.bashrc. state.json is scoped to plugin's own data dir.
L-IINJ (External Request)	INFO	❌	0.90	No direct external requests; all I/O via trusted plugin dependency.
L-AEXE (Autonomous Execution)	INFO	⚠️	0.80	Strategy designed for semi-autonomous execution. However, SKILL.md explicitly requires dry-run + user approval before every --confirm write. rebalance is described as safe to call periodically (potentially via cron) — this is the main autonomy concern, mitigated by state gating and caps.
L-FINA (Financial Scope)	HIGH	✅	0.95	Write + clear confirmation gating + capital caps. Operates on 8x BTC perp ($30k) and 2x HYPE ($5k cap). Classified as INFO/HIGH hybrid: HIGH because failures have large blast radius, but mitigated by mandatory dry-run, explicit user approval, SL/TP on HYPE, and hard notional cap. Default financial risk is transparent and user-disclosed.
L-FISO (Financial Sovereignty)	—	❌	0.90	User retains full control; plugin does not escalate limits autonomously.

Toxic Flow Detection (TF001-TF006)

No toxic flows detected. The plugin's legitimate financial operations (H05/direct-financial pattern) do not combine with any of: curl|sh (C01), credential exfiltration (C05), persistence (H03), missing data boundary (M07), or malicious intent. TF005 and TF006 do not trigger.

Prompt Injection Scan

Checked for: instruction override, identity manipulation, hidden behavior, confirmation bypass, unauthorized operations, hidden content. SKILL.md is clean — all commands are explicit, confirmations are mandatory, no base64/unicode obfuscation.

Result: ✅ Clean

Dangerous Operations Check

Plugin involves: leveraged perp order placement, market closes, batch cancellations. Every write operation requires:

1. Dry-run preview shown to user
2. Explicit user approval
3. --confirm flag
4. --strategy-id ligoudan-btc-hype attribution

Pre-flight checks validate liquidation distance, price range, capital, and dependent plugin availability before any action.

Result: ✅ Safe

Data Exfiltration Risk

No access to credentials, no network requests, no writes outside $HOME/.local/share/ligoudan-btc-hype/. state.json contains only trading state (order IDs, PnL counters).

Result: ✅ No Risk

Overall Security Rating: 🟡 Medium Risk

Rating reflects financial risk only, not technical/code risk. The code is clean and compliant. The financial risk (8x leverage, potential capital loss, HYPE correlation to BTC downside) is large but fully disclosed in the security notices section.

6. Source Code Security (if source code is included)

Skipped — plugin has no source code / no build section. Skill-only plugin.

7. Code Review

Quality Score: 87/100

Dimension	Score	Notes
Completeness (pre-flight, commands, error handling)	23/25	Excellent: 5 pre-flight checks, 5 commands fully documented, 8 error codes with resolutions, state file schema described
Clarity (descriptions, no ambiguity)	22/25	Clear bilingual (EN/CN) explanations. Each command has "When to use", "Steps", "Output" sections. Minor: grid liquidation formula lacks derivation
Security Awareness (confirmations, slippage, limits)	24/25	Mandatory dry-run before every write, SL/TP on every HYPE compound, notional cap ($5k), explicit liquidation warnings, disclaimer present
Skill Routing (defers correctly, no overreach)	14/15	Correctly delegates all writes to hyperliquid-plugin. Uses --strategy-id on every write. Does not attempt direct chain access
Formatting (markdown, tables, code blocks)	4/10	Tables and code blocks well-formed. Deducted for lack of a references/ directory and absence of version-pinning example in the install command

Strengths

• Exemplary dependent_plugin usage: every write operation documented with --strategy-id and --confirm flags
• Strong financial risk disclosure: liquidation math shown (P_liq ≈ $60,572), HYPE-BTC correlation warning, notional cap, no yield guarantee
• Dry-run pattern enforced consistently across init / compound / shutdown

Issues Found

• 🟡 Important: State file path $HOME/.local/share/ligoudan-btc-hype/state.json is Linux-centric. Windows/macOS behavior should be specified (e.g., $XDG_DATA_HOME fallback)
• 🟡 Important: rebalance is described as "periodically (e.g., every hour via cron in the user's own scheduler)" — consider warning users explicitly that autonomous rebalance via cron will also trigger autonomous HYPE compounding, and recommend dry-run or manual approval for compound even inside rebalance
• 🔵 Minor: Grid step is $2000 which yields 10 cells ($70k, $72k, …, $88k). Example JSON in init step 3 shows all 10 orders explicitly — good clarity
• 🔵 Minor: No mention of how filled-but-unacknowledged orders are reconciled if state.json gets out of sync with Hyperliquid (E_STATE_CORRUPT error code exists but recovery flow could be more detailed)

8. SUMMARY.md Review

Check	Result
File exists	✅
Written in English	✅ (with bilingual CN note in Overview)
Has Overview section	✅
Has Prerequisites section	✅
Has Quick Start section	✅
Character count ≤ 17,000	✅ 2,366 chars

9. Strategy Attribution Check

This plugin is a trading strategy — it delegates write operations to hyperliquid-plugin (declared in dependent_plugin).

Dependent Plugin Declarations

Declared Plugin	Exists in Registry	Version Compatible
hyperliquid-plugin	✅ Assumed (standard Plugin Store dependency)	^0.3.9 (semver range — acceptable for strategy plugins)

Strategy Attribution Scan

Since this plugin is skill-only (no source code files), attribution scanning is performed against SKILL.md command examples rather than code files.

Location	Command	Has --strategy-id	Write Operation
SKILL.md init step 4 (dry-run)	onchainos hyperliquid order-batch ... --strategy-id ligoudan-btc-hype --dry-run	✅	Yes (write)
SKILL.md init step 5 (submit)	onchainos hyperliquid order-batch ... --strategy-id ligoudan-btc-hype --confirm	✅	Yes (write)
SKILL.md status step 1	onchainos hyperliquid positions	N/A	No (read)
SKILL.md status step 2	onchainos hyperliquid orders --coin BTC	N/A	No (read)
SKILL.md rebalance step 1	onchainos hyperliquid orders --coin BTC	N/A	No (read)
SKILL.md rebalance step 2	TP sell placement via order "with --strategy-id"	✅ (described)	Yes (write)
SKILL.md rebalance step 2	Re-arm buy placement "with --strategy-id"	✅ (described)	Yes (write)
SKILL.md compound step 6 (dry-run)	onchainos hyperliquid order --coin HYPE ... --strategy-id ligoudan-btc-hype --dry-run	✅	Yes (write)
SKILL.md compound step 8	onchainos hyperliquid tpsl --coin HYPE ... --strategy-id ligoudan-btc-hype --confirm	✅	Yes (write)
SKILL.md shutdown step 2	onchainos hyperliquid cancel-batch ... --strategy-id ligoudan-btc-hype --dry-run	✅	Yes (write)
SKILL.md shutdown step 4	onchainos hyperliquid close --coin BTC --strategy-id ligoudan-btc-hype --confirm	✅	Yes (write)
SKILL.md shutdown step 5	onchainos hyperliquid close --coin HYPE --strategy-id ligoudan-btc-hype --confirm	✅	Yes (write)

Result: ✅ All write operations documented in SKILL.md include --strategy-id ligoudan-btc-hype. The SKILL.md explicitly states: "All write operations MUST pass --strategy-id ligoudan-btc-hype and --confirm." and "This skill never escalates leverage, capital, or cap without an explicit user instruction."

One minor item: in rebalance step 2, the TP sell placement command is described in prose rather than as a full CLI example. Adding an explicit code block would strengthen the guarantee.

Sensitive Data Check (Strategy-specific)

Check	Result
Hardcoded private keys (0x + 64 hex chars)	✅ None detected
Hardcoded RPC URLs (should use env vars)	✅ None detected
Plaintext API keys	✅ None detected

10. Recommendations

1. Add a concrete CLI example for the rebalance TP-sell command (currently described prose-style) to make strategy-id attribution unambiguous for audit.
2. Cross-platform state file path: Replace $HOME/.local/share/... with an explicit statement that the plugin uses the appropriate OS data directory (e.g., %APPDATA% on Windows, ~/Library/Application Support/ on macOS), or use $XDG_DATA_HOME with documented fallback.
3. Reconsider autonomous compound-in-rebalance: If rebalance is called via cron, HYPE compounding will also be triggered autonomously. Recommend either (a) requiring --auto-compound flag for rebalance to trigger compound, or (b) explicitly warning users that cron-based rebalance opens HYPE positions without further user prompts.
4. Document state.json schema in a references/state-schema.md file to support recovery when E_STATE_CORRUPT fires.
5. Pin hyperliquid-plugin version more tightly if the ^0.3.9 semver range includes breaking changes. Consider using ~0.3.9 or exact pin for production strategy plugins.
6. Add a "paper trading" / simulation mode (--simulate) so users can validate the strategy end-to-end before committing real capital.

11. Reviewer Summary

One-line verdict: Well-designed, compliance-clean Hyperliquid strategy plugin with strong risk disclosure and correct attribution — ready to merge with minor documentation improvements suggested.

Merge recommendation: ⚠️ Merge with noted caveats

Caveats:

• Strategy places leveraged perpetual orders and compounds into directionally correlated HYPE — the 🔴 financial risk level is inherent to the design, not a plugin defect
• Consider addressing Recommendation [new-plugin] test-rust-cli v1.0.0 — E2E verification #3 (autonomous compound in rebalance via cron) before marketing as "set-and-forget"
• Recommendation feat: merge plugin-store-community + PRD optimization #2 (cross-platform state path) should be clarified before users on Windows/macOS attempt installation

No blocking security issues. The plugin correctly implements the strategy plugin contract: zero direct chain/wallet access, full delegation to declared dependent plugin, strategy-id attribution on every write, mandatory dry-run + confirmation flow, and transparent financial risk disclosure.

---

Generated by Claude AI via Anthropic API — review the full report before approving.

[Noah3595]

Plugin Store DApp Popularity Contest

• 💰 Prize Pool: 17,700 USDC
• 📅 Period: Apr 23 – May 7, 23:59 (UTC+8)
• 🧩 Featured Basic Skills: Polymarket Plugin | Hyperliquid Plugin

---

About the Contest

Plugin Store is the decentralized agent plugin marketplace on Onchain OS.

This contest focuses on two trading-related Basic Skills in Plugin Store — the Polymarket Plugin and the Hyperliquid Plugin — and encourages developers to build more high-quality strategy Skills around them.

Contest Rules

• Strategy Skills must be built on top of the Polymarket Plugin or the Hyperliquid Plugin.
• Each strategy Skill is ranked across three independent dimensions: trading volume, number of trades, and number of unique trading addresses.

Scoring Rules

• Stats are aggregated per Skill. If you submit multiple Skills, each one is scored and competes independently.
• Only trades initiated through Onchain OS and executed via the Polymarket Plugin or Hyperliquid Plugin are counted. Trades that bypass the Basic Skill are excluded.
• Leaderboards are synced daily in the official community. Final standings are locked at May 7, 23:59 (UTC+8).

Four Steps to Participate

1. Open Plugin Store and install the Polymarket Plugin or the Hyperliquid Plugin.
2. Build your own strategy on top of the Plugin.
3. Use your strategy — the three metrics will be tracked automatically.
4. Submit the entry form: https://forms.gle/gFCef1Y4qCv49L2z7

Three Leaderboards · 5,900 USDC each · 17,700 USDC in total

Trading Volume | Number of Trades | Unique Trading Addresses

• Top 1 — 1,300 USDC
• Top 2 — 800 USDC
• Top 3–5 — 600 USDC × 3
• Top 6–10 — 400 USDC × 5

A single Skill can win on multiple leaderboards. All prizes are paid in USDC.

⚠️ Red Lines

Sybil attacks · Plagiarism · Malicious code

The contest follows fair-play principles. Any confirmed violation will result in immediate removal from the leaderboards.

---

⚠️ Skills/Plugins not officially listed on OKX Plugin Store have not been reviewed by OKX. Please be aware of the risks when installing or running third-party Skills.