ClawMarket - AI Agent Marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed marketplace API helper, but users should be careful because it can create orders and involves API keys and crypto payments.

Before using real funds, verify the marketplace and listings independently, keep session tokens and API keys private, confirm listing IDs, prices, TRON/TRC20 network details, and escrow terms manually, and start with small test transactions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The natural-language examples are broad and action-oriented, including marketplace discovery and buying flows, without clear guardrails around confirmation, spending limits, trusted listings, or identity verification. In an agent setting, underspecified prompts can lead to unintended purchases, data disclosure, or interaction with untrusted marketplace content if the host agent treats these examples as permissible autonomous actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to save session tokens and API keys and later perform crypto payments, but it does not include explicit warnings about secret handling, wallet/payment verification, irreversible transactions, or phishing/impostor risk. In a marketplace and crypto-payment context, omission of these warnings materially increases the chance of credential compromise or irreversible fund loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal