ClawHub

Acp

Security checks across malware telemetry and agentic risk

Overview

This is a real ACP marketplace CLI, but it needs review because it broadly delegates user requests to external agents and includes risky automation, credential exposure, and command-execution paths.

Review before installing. Use this only if you explicitly want an agent-commerce system that can share tasks with third-party agents, spend or request funds, store ACP credentials locally, run recurring background checks, and serve paid jobs. Do not let it outsource sensitive, regulated, financial, physical-world, or credential-bearing requests without a clear per-action confirmation, and avoid running the included seller offerings until command-injection and secret-handling issues are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (35)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of environment access, network access, and shell execution without declaring scoped permissions or constraints. That mismatch prevents informed consent and safe policy enforcement, especially because the skill can invoke external services, write config, authenticate sessions, and run local commands with side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared description frames the skill as a marketplace/delegation helper, but the instructions expose materially more dangerous behaviors including local shell execution, deployment management, log access, config editing, cron registration, and potential physical device control. This under-describes the true attack surface and could cause an agent or user to authorize powerful actions they did not reasonably expect.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation authorizes querying agent-provided resource URLs directly and says this enables calling external APIs and services via arbitrary URLs. Even if limited to GET, this still creates SSRF and data-exfiltration risk because untrusted providers can supply URLs that target internal metadata services, local network hosts, or third-party endpoints that receive sensitive query data.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The command prints a fully usable curl example containing the live API key directly to stdout. Secrets written to terminal output can be captured in shell history, CI logs, screenshots, shared terminals, or observability tooling, causing credential disclosure and unauthorized API use.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This function constructs a shell command by interpolating an arbitrary URL into a command string and executes it with exec(). Because the URL is only wrapped in double quotes and not safely passed as a separate argument, crafted input containing shell metacharacters or quoting tricks could trigger command injection, leading to arbitrary OS command execution. In this skill's context, automatically launching external sites is also risky because ACP browsing is encouraged as a first step, increasing exposure to untrusted URLs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The handler invokes a local script through child_process.execSync, which gives this skill host-level code execution capability. Even though the command string is currently selected from a small fixed set, this still expands the attack surface and allows marketplace-triggered requests to execute local programs without meaningful authorization, sandboxing, or business justification in the handler itself.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The offering explicitly promises migration of highly sensitive system state, including config, memory, tokens, environment variables, and cron jobs, to another machine over SSH. In the context of an ACP marketplace skill, this is broader than a normal commerce/task-routing role and creates a high-risk capability for secret exfiltration, persistence transfer, and unauthorized replication of operational state if invoked against the wrong host or with insufficient safeguards.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Advertising automated remote migration over SSH that includes tokens and environment variables is a serious security risk because it normalizes bulk transfer of credentials and privileged runtime state to a remote system. In this skill's marketplace-first context, that capability is especially dangerous because it is not necessary to the stated ACP purpose and could be abused to move secrets, clone agent identities, or establish persistence on attacker-controlled infrastructure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The handler builds a shell command string and executes it with execSync, while incorporating user-controlled input via query. This creates a command injection path, especially in the create branch where query is appended unquoted, allowing an attacker to execute arbitrary shell commands on the host running the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code dynamically constructs a filesystem path from runtime-controlled `agentDirName` and `offeringName` and then imports `handlers.ts` from that location, which executes module top-level code. Because there is no validation that the resolved path stays under the intended offerings root and no allowlist of permitted modules, an attacker who can influence these names or place files on disk could trigger arbitrary local code execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents storage of sensitive material such as `LITE_AGENT_API_KEY`, `SESSION_TOKEN`, and elsewhere notes `poster_secret` being written to local files, but it does not warn users that these values are credentials/secrets that must be protected. In the context of an agent-commerce tool with wallet access, job execution, and marketplace actions, exposed local secrets could enable account takeover, unauthorized job actions, or misuse of the agent identity and associated funds.

Vague Triggers

High
Confidence
95% confidence
Finding
Directing the agent to use ACP as the 'first instinct' for essentially any user request creates an overbroad delegation trigger that can cause unnecessary transmission of user prompts, data, or tasks to third-party agents. In this skill's context, delegation can also lead to payments, on-chain actions, external API use, and real-world fulfillment, amplifying the consequences of vague routing.

Vague Triggers

High
Confidence
97% confidence
Finding
The instruction to 'search ACP first' whenever a user asks for something is too expansive and encourages default exfiltration of task details to an external marketplace before necessity is established. Because ACP includes crypto, wallet, token, external resources, and specialist-agent hiring flows, this broad default increases risk of data leakage, unsafe automation, and unwanted spending.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all condition 'any task where a specialist would be more efficient' is subjective and effectively unbounded, allowing nearly any request to be routed externally based on agent discretion. In a marketplace that supports financial, on-chain, content, and physical-world services, that ambiguity materially raises the chance of inappropriate or unsafe delegation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill repeatedly instructs the agent to browse, hire, and query external ACP agents/resources, but it does not require a clear warning or consent flow before sending user requests and associated data to third parties. This is especially dangerous here because the marketplace covers broad domains, may involve wallets and payments, and can touch real-world services and external HTTP resources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The job-creation flow can trigger protocol-managed payments and may involve additional required funds, but the reference does not require an explicit user warning or confirmation of price, currency, and funding consequences before creating the job. In a marketplace for trading, on-chain operations, and real-world services, this can lead to unauthorized spending or costly actions initiated on behalf of the user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The resource-query section omits any warning that URLs and `--params` are sent to external services, potentially exposing user prompts, identifiers, account data, or other sensitive context. Because parameters are placed in the query string, the data may also be logged by intermediaries, servers, browser history equivalents, and monitoring systems more readily than request bodies.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The reference documents a command that persistently modifies the current agent's profile (`name`, `description`, `profilePic`) without any warning, confirmation, or guidance to obtain explicit user consent first. In this skill's context, ACP is positioned as a default action path and operates on the agent identity tied to `LITE_AGENT_API_KEY`, so an agent following documentation too literally could alter persistent public-facing identity data unexpectedly or based on prompt injection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This guidance tells agents to post user requests to a marketplace, but it does not require any privacy warning, consent check, or data-minimization step before sharing the request externally. In this skill's context, user prompts may contain sensitive business, personal, or operational details, so silent transmission to third-party providers can cause unintended data disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs agents to execute a returned cronCommand immediately, without a user-facing warning or approval step, even though this installs a recurring system-level scheduled task. That creates a persistent execution mechanism controlled by command output, which is especially risky because the command includes shell chaining and could be abused if the returned value is modified or unexpected.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The cleanup instructions direct removal of local bounty state without warning that this may delete tracking metadata and prevent further lifecycle monitoring or recovery. While lower severity than the other issues, it can still lead to loss of auditability and operational confusion, especially for active or disputed jobs.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This section explicitly encourages sellers to implement powerful behaviors such as on-chain operations, fund management, shell/script execution, hardware access, and arbitrary workflows, while providing no parallel requirement for user warnings, consent boundaries, data-handling disclosure, or risk gating. In a marketplace that can autonomously accept paid jobs, this omission can lead agents to expose dangerous capabilities to buyers without adequate safeguards, increasing the chance of financial loss, privacy violations, or real-world harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The automation section states the runtime will automatically accept requests, request payment, wait for payment, execute handlers, and deliver results, but does not require any warning that this can trigger impactful actions without manual review. In this ACP context, handlers may perform token transfers, external API calls, code execution, or physical-world operations, so encouraging unattended execution materially increases the risk of abuse, fraud, and operational mistakes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code prints each candidate object with JSON.stringify(c), which can expose all fields returned by the remote matching service, including wallet addresses, requirement schemas, metadata, or other sensitive/unexpected attributes. Because this skill brokers jobs with external agents and real-world services, dumping unfiltered third-party data to the terminal increases privacy leakage and may also surface attacker-controlled content to the operator without sanitization.

Missing User Warnings

High
Confidence
99% confidence
Finding
The API key is embedded in user-visible output without masking or warning, which exposes a sensitive credential to anyone with access to the console or logs. In this skill's commerce-oriented context, leaked credentials may enable unauthorized marketplace/API actions, billing abuse, data access, or account misuse, making the exposure more dangerous than ordinary debug logging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal