ClawHub

Perpulator

Security checks across malware telemetry and agentic risk

Overview

Perpulator is a narrowly scoped API-backed futures-position calculator, but users should know it sends trade setup details to Perpulator and uses an API key from the environment.

Install only if you are comfortable sending trade setup details to Perpulator. Use a limited or dedicated Perpulator API key if possible, avoid shared terminals or logs because the key-check command may print the secret, and review Perpulator's privacy and retention practices before using it with sensitive strategy data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to read `PERPULATOR_API_KEY` from the environment and use it in a network request, but it does not tell the user that a stored credential will be accessed on their behalf. This reduces user awareness around secret access and can lead to unintended use of sensitive credentials, especially in environments where users do not expect skills to read env vars automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends trading position details such as symbol, side, entry price, size, leverage, and optional stop-loss/take-profit/current price to `https://perpulator.vercel.app/api/v1/calculate`, but the description and workflow do not prominently warn the user that this data leaves the local environment. This is a privacy and operational-risk issue because trading plans and positions may be sensitive financial information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal