KrumpKraft Play

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only KrumpKraft gameplay guide that describes user-entered payment commands but does not install code or automate transfers.

Install only if you want a guide for KrumpKraft. Before using any payment command, verify that the server and token network are intended, confirm the recipient address, agent ID, token, and amount, and assume blockchain transfers may be irreversible and may involve fees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs users to send USDC.k, $IP, and JAB to arbitrary 0x addresses but provides no warning that blockchain transfers are irreversible, error-prone, and vulnerable to misdirection or typos. In this context, the skill is not merely describing tokens abstractly; it is operationally guiding payment actions, which increases the likelihood of accidental fund loss or social-engineering-assisted transfers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal