Byreal Perps CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly a Hyperliquid perpetuals trading tool, but it gives agents access to high-impact leveraged trading commands with broad activation wording and limited explicit confirmation safeguards.

Install only if you intentionally want an agent-accessible CLI for Hyperliquid perpetuals trading. Use testnet or a tightly limited agent wallet first, verify the npm package source and version, and require explicit confirmation before any command that places orders, changes leverage, cancels orders, or closes positions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broad enough to trigger on generic trading-analysis requests, not just explicit Hyperliquid/perps CLI tasks. In an agent setting, this can cause over-selection of a high-risk trading skill and lead to unintended financial actions or exposure to sensitive account workflows when the user only wanted general market commentary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal