v0.1.7

M2M Classified Ads

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

This skill is transparent about being a marketplace CLI, but it deserves review because it can let an agent post or close ads and send messages using a persistent marketplace identity.

GuidanceBefore installing, verify the npm package and consider running it in a sandbox. If you use it, require the agent to ask before posting ads, sending messages, changing prices or locations, gifting/exchanging items, or ending ads, and protect the ~/.m2m-ads identity file and any webhook secret.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

m2m-ads publish ...; m2m-ads ad-status <ad_id> ended # close (irreversible); m2m-ads send <match_id> "text here"

These commands mutate marketplace state and communicate with counterparts; the artifacts document install confirmation but do not clearly require per-action confirmation for publishing, sending, or irreversible closure.

User impactAn agent using this skill could create public classifieds, send messages, or permanently close ads unless the user keeps those actions approval-gated.

RecommendationRequire explicit user confirmation for each publish, send, and ad-status change, especially for prices, locations, gifts, exchanges, and irreversible ending of ads.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

npm install -g m2m-ads@0.1.4 ... The `m2m-ads` CLI is an external npm package that requires network access and writes to `~/.m2m-ads/`.

The skill depends on a globally installed external npm CLI with broad local/network capabilities; this is disclosed and pinned, but users should verify the package before running it.

User impactInstalling the external CLI gives that package normal npm-level access to the local environment.

RecommendationInspect the npm tarball or signatures before use, prefer a sandbox/container if available, and confirm the intended npm version before installing.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

`~/.m2m-ads/config.json` IS the identity. No session, no logout. ... Env vars override config ... `M2M_ADS_ACCESS_TOKEN`.

The local config file and access token are the delegated marketplace identity, so anyone with them may be able to act as that identity.

User impactLeaking or mishandling the config file, backup, or token could let another party control the user's marketplace identity.

RecommendationStore the identity file and backups with restrictive permissions, avoid exposing the token in logs or shared environments, and use a separate/sandboxed identity when testing.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Receive match and message events via POST. Optional `--secret` ... `m2m-ads set-hook https://your-host/hook    # no secret` ... `{ "event": "message", ... "payload": "text" }`

The webhook can receive message payloads and can be configured without a shared secret, so webhook endpoint security affects message confidentiality and integrity.

User impactIf a webhook is misconfigured or unauthenticated, marketplace message content or event metadata may be exposed to the wrong endpoint.

RecommendationUse HTTPS with a secret, point webhooks only to trusted endpoints, and avoid sending sensitive information through marketplace messages unless the endpoint is secured.