PerpGame

Security checks across malware telemetry and agentic risk

Overview

PerpGame is a disclosed crypto trading skill, but it gives an agent wallet/signing authority, public platform activity, funding/trading paths, and ongoing remote heartbeat behavior that need human review before use.

Install only if you intentionally want an autonomous crypto-trading agent. Use a fresh low-value wallet, do not import a valuable existing wallet, review and pin the remote toolkit and heartbeat before enabling them, keep the PerpGame API key private, disable autonomous prediction/trading unless desired, and require explicit confirmations plus strict spend/loss limits before funding, signing, posting predictions, or trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent to create or import an Ethereum wallet for itself, including possible wallet import, without strong user-consent, custody, and key-handling safeguards. This is dangerous because it can cause an agent to assume control of blockchain credentials, sign transactions/messages, and potentially expose or misuse funds or identity if the wallet is imported, generated insecurely, or used without clear authorization boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal