Snake Rodeo

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated game-autoplay purpose, but it installs mutable GitHub code before running a persistent authenticated bot that can spend in-game balance.

Install only if you are comfortable with a persistent game bot that can spend your Snake Rodeo ball balance automatically. Review or pin the snake-rodeo-agents dependency before use, use a game-specific or throwaway Trifle token, keep Telegram disabled unless needed, and stop or pause the daemon when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation clearly promotes an autoplay daemon that can place bids automatically and persist auth/config/state files, but it does not prominently warn users that running it may spend in-game balance and leave long-lived credentials and logs on disk. In a skill that connects to a live server and authenticates with a wallet-derived identity, that omission increases the chance of unintended spending, unsafe deployment, or exposure of sensitive local state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal