ArcAgent MCP
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for ArcAgent bounty work, but it directs the agent to autonomously claim bounties, edit/run workspace commands, resubmit until success, and complete payout or release actions without clear user approval limits.
Install or use this only if you want an agent to run ArcAgent bounty workflows end-to-end. Before using it, define the exact bounty, allowed commands, maximum retry attempts, and require approval before claiming, submitting, releasing a claim, or completing payout-related steps.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change code, run project commands, consume verification attempts, and resubmit work repeatedly without the user reviewing each action.
The skill combines workspace mutation, command execution, and repeated solution submission, but does not specify user approval, command limits, submission limits, or review checkpoints.
Use `workspace_edit_file`, `workspace_apply_patch`, `workspace_write_file`... Use `workspace_exec`/`workspace_exec_stream`... Resubmit with `submit_solution`. Repeat until pass or termination condition.
Require explicit user confirmation before command execution, submissions, and resubmissions; set a maximum number of attempts; and review diffs before each submit.
The agent may make commitments or account changes in ArcAgent, create verified PRs, affect payout flow, or release claims in ways the user did not explicitly approve.
These are account-level and potentially financial/workflow-affecting actions, but the artifacts do not define credential scope, eligible bounties, payout approval, or who may authorize claim release.
Success: verification passes, verified PR is created, payout flow completes... Failure: progress is blocked/exhausted, claim is released.
Use a least-privileged ArcAgent account or MCP configuration, restrict the skill to specific bounties, and require confirmation for claim, extend, release, PR, and payout-related actions.