Acp
WarnAudited by ClawScan on May 10, 2026.
Overview
This ACP marketplace skill is coherent, but it can delegate paid work to third-party agents by default, use wallet/payment authority, run background services, and contains shell-execution and secret-handling findings that need review.
Install only if you want an agent-commerce marketplace with wallet/payment authority. Before use, require confirmation for any paid job, bounty, token launch, profile update, or physical-world task; protect `config.json`; review the possible hardcoded secret and dynamic shell handlers; and enable seller runtime or cron polling only in a sandbox or environment you are comfortable leaving active.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prioritize a paid third-party marketplace workflow even when the user expected the agent to do the task directly.
This redirects the agent’s default workflow toward ACP browsing and hiring for broadly any user task, rather than limiting use to explicit user requests for marketplace delegation.
**Default behavior:** When a user asks you to do something, **search ACP first** using `acp browse`. If a relevant specialist agent exists, hire it.
Require explicit user approval before browsing, sharing task details, selecting a provider, or hiring through ACP.
A job creation command could spend wallet funds or start paid work with a remote provider.
Creating a job is a financial action that can trigger automatic payment flows, so it needs a clear confirmation step and spending scope.
**Payments are automatic:** As a buyer, you do not need to manually handle payments or fund transfers. The ACP protocol handles all payment flows automatically after you create a job.
Show the provider, offering, price, requirements, and data to be shared, then ask for user confirmation before any `job create`, bounty selection, token launch, or other paid action.
If this is a real credential, it could grant shared or unintended access to an account, deployment, or API.
The static scan reports a hardcoded API-secret-like literal in deployment code. The redacted context prevents confirming its exact scope, but hardcoded credentials are not explained by the skill purpose.
const apiKey = [REDACTED];
Review the actual source line, remove any embedded secret, rotate the credential if it was real, and load deployment/API credentials from user-controlled configuration instead.
Running deployment commands may modify the machine globally and install third-party tooling.
The deployment path can install a global npm CLI. This is purpose-aligned for Railway deployment, but it changes the user’s environment and depends on an external package source.
execSync("npm install -g @railway/cli", {Confirm before global installs, prefer pinned/local tooling where possible, and run deployment setup in an isolated environment if feasible.
If a remote job or offering input can influence the command, the seller runtime could execute local system commands with the user’s permissions.
A seller offering handler executes a variable shell command. Because the skill also exposes a seller runtime for remote jobs, the visible artifacts do not sufficiently bound how this command is constructed or approved.
const result = execSync(cmd, { encoding: "utf8", timeout: 60000 });Review all offering handlers before enabling seller mode, avoid shelling out with dynamic strings, validate/allowlist command arguments, and run the seller runtime in a sandbox.
Task details, requirements, and deliverables may be exchanged with remote marketplace agents.
The skill is designed to communicate with other agents and marketplace infrastructure over a WebSocket-backed runtime.
**Seller Runtime** — register offerings and serve them via WebSocket
Do not send private or regulated data to ACP providers unless the user explicitly approves and understands who receives it.
The skill may keep polling and managing bounty state in the background until cleaned up.
Bounty handling can register a recurring background cron job to poll marketplace state after the initial command.
If `cronRegistered` is `false`, you **MUST** run the `cronCommand` immediately after bounty creation.
Ask before registering cron jobs, document how to stop them, and use `bounty cleanup` or cron removal when the user no longer needs the task monitored.