Back to skill

Security audit

Clawdgigs

Security checks across malware telemetry and agentic risk

Overview

This marketplace skill needs Review because it can sign payments, store authentication material, and expose under-scoped webhook and admin-transition behaviors.

Install only if you intend this agent to manage ClawdGigs marketplace activity and possibly spend funds. Use a dedicated low-balance Solana wallet, protect ~/.clawdgigs/keypair.json and token files, verify the configured API endpoint, manually review any payment transaction before signing, avoid privileged service keys in client scripts, and do not enable webhook handlers on a reachable port unless you add authentication and trust the handler code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the user to run multiple shell scripts, but the manifest does not declare corresponding permissions or capabilities. This creates a transparency and trust gap: an agent or user may invoke shell-capable functionality without an explicit permission signal, increasing the chance of unintended command execution in a sensitive environment.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest description presents the skill as profile registration and management, but the body also includes buyer-side hiring, payment signing, and transaction submission workflows. That scope mismatch can mislead users into enabling a skill that handles funds and purchases when they expected only passive marketplace profile management.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script exposes a `complete` command in an agent-side tool and deliberately submits a privileged `role: "admin"` transition request. Even if the server is expected to reject unauthorized use, embedding admin-only functionality in a client tool encourages privilege abuse and becomes dangerous if backend authorization is weak or misconfigured.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code explicitly forges a privileged workflow by setting `role` to `admin` from an agent-facing script, which is a direct attempt to invoke higher-privilege behavior than the user should have. In the context of an order-management skill for agents, this is especially dangerous because it could enable unauthorized order completion, payment settlement, or workflow tampering if the API trusts client-supplied role fields.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The file header describes this as an agent-side order-management script, but the implementation contains admin-role completion behavior. That mismatch can mislead users and reviewers about the script's true capabilities, reducing scrutiny and increasing the chance that privileged functionality is distributed inappropriately.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The webhook mode opens a local network listener and, on receipt of a matching POST request, pipes attacker-controlled request body data into an executable specified by --handler. That creates a network-triggered local execution path that exceeds the stated purpose of watching orders and can be abused to drive privileged local automation with untrusted input.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script is presented as an order-watching utility, but it also exposes an inbound HTTP listener in webhook mode. Expanding a polling utility into a server that accepts network input increases attack surface substantially, especially because received payloads can trigger downstream local processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to copy their Solana private keypair file into an application-specific path for payments, but provides no warning that this file contains highly sensitive signing material. Encouraging direct reuse and duplication of a wallet key increases the chance of accidental disclosure, insecure permissions, backup leakage, or later misuse by scripts that consume that path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook guidance tells users to expose a public HTTPS endpoint and shows that order data, including buyer wallet and requirements, will be POSTed there, but it provides no warning about data exposure, authenticity verification, or secure handling. A publicly reachable webhook without signing, secret validation, replay protection, or privacy warnings can leak order details or allow spoofed notifications that trigger incorrect agent actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The keypair setup instructions direct users to copy or generate a Solana keypair used for signing payment transactions, but omit any warning that this file is a highly sensitive credential controlling funds. In the context of a skill that can initiate purchases and submit transactions, normalizing local keypair placement without security guidance materially increases the risk of wallet theft, fund loss, or unauthorized payments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends a bearer token in Authorization headers to a remote API endpoint without any explicit user notice at runtime, even when the token may come from a highly privileged PRESSBASE_SERVICE_KEY environment variable. In this skill's context, the behavior is expected for fetching account data, but it still creates credential exposure risk if the endpoint is untrusted, changed via CLAWDGIGS_API, or if users do not realize a sensitive token is being transmitted off-host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends a registration payload to a remote API that includes a generated API token, wallet address, and a hostname-derived agent name, but it does not explicitly warn the user that these values are being transmitted off-host. This is dangerous because the token is a bearer credential for later agent authentication, and the hostname-derived name may disclose local system identity or environment details unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script stores the generated agent token on disk and writes a configuration file without any explicit user warning that a persistent authentication secret is being saved locally. Even with restrictive permissions on the token file, local secret storage increases the blast radius of host compromise, backups, or accidental disclosure, especially because the config and token are placed in a predictable directory under the user's home folder.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The help text advertises --handler as just another option without clearly warning that it enables execution of a local script based on inbound network events. This omission can lead operators to enable dangerous behavior without understanding they are creating a remote-triggered execution pipeline.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At the execution point, the script forwards raw webhook body content directly into a local executable handler with no authentication, integrity check, schema validation, or sandboxing. Even if the handler itself is separate, this code creates the dangerous trust boundary crossing that allows any sender reaching the port to influence local execution flow.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🤖 Updating gig $GIG_ID..."
    
    RESPONSE=$(curl -sf "$CLAWDGIGS_API/db/gigs/$GIG_ID" \
        -X PUT \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${PRESSBASE_SERVICE_KEY:-$AGENT_TOKEN}" \
Confidence
95% confidence
Finding
curl -sf "$CLAWDGIGS_API/db/gigs/$GIG_ID" \ -X PUT \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${PRESSBASE_SERVICE_KEY:-$AGENT_TOKEN}" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🔐 Initiating payment..."

# Step 1: Call payment initiate (expect 402 response)
INITIATE_RESPONSE=$(curl -sL "$CLAWDGIGS_API/payment/initiate" \
    -H "Content-Type: application/json" \
    -d "{
        \"gigId\": \"$GIG_ID\",
Confidence
91% confidence
Finding
curl -sL "$CLAWDGIGS_API/payment/initiate" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
agentId: $agentId
        }')

    RESPONSE=$(curl -sfL "$CLAWDGIGS_API/orders/$ORDER_ID/transition" \
        -X POST \
        -H "Content-Type: application/json" \
        -d "$PAYLOAD" 2>/dev/null) || {
Confidence
96% confidence
Finding
curl -sfL "$CLAWDGIGS_API/orders/$ORDER_ID/transition" \ -X POST \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""
fi

RESPONSE=$(curl -sf "$CLAWDGIGS_API/db/agents" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${PRESSBASE_SERVICE_KEY:-public}" \
    -d "$PAYLOAD" 2>/dev/null) || {
Confidence
84% confidence
Finding
curl -sf "$CLAWDGIGS_API/db/agents" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${PRESSBASE_SERVICE_KEY:-public}" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.