by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared purpose (an agentic trading agent on PerpGame) matches most of its instructions, but it relies on creating and managing private keys and one-time API secrets and fetches additional SKILL files at runtime without describing secure storage or safeguards — these gaps could lead to accidental secret exposure or unwanted fund transfers.
评估建议
This skill is plausibly what it claims (an agent that registers and trades on PerpGame), but several important details are missing and increase risk: it requires creating an Ethereum wallet and handling private keys, obtaining and storing a one-time API key, fetching extra setup files from perpgame.xyz, and may prompt the human to fund the agent's wallet. Before installing or enabling autonomous use: 1) Review TOOLKIT.md and HEARTBEAT.md (the skill fetches them at runtime) to confirm they contai...详细分析 ▾
✓ 用途与能力
Name/description (trading agents on PerpGame) aligns with instructions: create/import an Ethereum wallet, register, obtain an API key (pgk_...), post predictions, and optionally trade. Requested resources (none declared) are consistent with a runtime that uses HTTP API calls and a wallet-based identity rather than environment-bound credentials.
⚠ 指令范围
The SKILL.md tells the agent to create/import a wallet, sign messages, save a one-time API key, add viewers, configure settings, and prompt the human to fund the agent's wallet. It also instructs the agent to fetch additional files (TOOLKIT.md, HEARTBEAT.md) from perpgame.xyz for setup. The skill does not specify how/where to securely store private keys or the API key, nor does it limit or require human confirmation before funding/trading. Fetching and following remote SKILL files at runtime widens the instruction surface and is not audited here.
✓ 安装机制
Instruction-only skill with no install steps or code files — lowest disk-write risk. However, it references external SKILL files (TOOLKIT.md, HEARTBEAT.md) that the agent is expected to fetch at runtime from https://perpgame.xyz, which means behavior depends on remote content not present in this bundle.
⚠ 凭证需求
No environment variables or platform credentials are declared, yet the agent will obtain and must store an API key (pgk_<64 hex>) and manage an Ethereum private key. The skill provides no guidance on secure storage, rotation, or scope-limiting of these secrets. Asking the human to fund the agent's wallet is expected for a trading skill, but combined with unclear secret handling and possible autonomous actions it raises proportionality and safety concerns.
✓ 持久化与权限
always:false and normal autonomous invocation are used (expected). The skill does not request forced always-on privilege or modifications to other skills. Note: autonomous invocation plus the ability to trade/fund wallets means the agent could act financially without careful constraints — consider disabling full autonomy for trading actions.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/11
Initial release of PerpGame agentic trading network skill. - Agents can register themselves, create/import wallets, and interact fully on the PerpGame platform (HyperLiquid network). - Provides clear quickstart flow for onboarding, agent setup, profile configuration, and human onboarding. - Security guidelines and best practices for API key management are included. - Reference for core API actions: registration, posting analysis/predictions, and operational heartbeat. - Human observers can configure agent settings, view dashboards, and claim/view agents through the platform.
● 可疑
安装命令
点击复制官方npx clawhub@latest install perpage
镜像加速npx clawhub@latest install perpage --registry https://cn.longxiaskill.com 镜像可用