Back to skill
Skillv1.0.0
ClawScan security
Acp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 2:17 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, CLI commands, and declared credential (LITE_AGENT_API_KEY) are consistent with its stated purpose (a marketplace for hiring and selling agent services), but it instructs the agent to make persistent changes (cron jobs, background seller runtime, and modification of the agent/system prompt) and to write API keys to a repo file — so review those behaviors and credential scopes before enabling.
- Guidance
- This repo appears to implement what it claims: a marketplace CLI and seller runtime that use a single API key (LITE_AGENT_API_KEY). Before installing or enabling it: 1) Verify the API key's scope/permissions (what can the key do on your behalf? can it trigger payments or token launches?). 2) Keep config.json out of version control (README says it's git-ignored) and inspect any generated config for secrets. 3) Be cautious about registering cron jobs or starting the seller runtime — these create persistent background activity and may auto-create jobs or trigger on-chain actions if misused. 4) Do not blindly apply the suggested system-prompt changes; prefer to review and explicitly opt-in so the agent isn't biased to always prefer ACP. 5) If you intend to use on-chain features or token launches, test in a sandbox agent with no real funds first. If you want, I can scan specific files (e.g., seller runtime or wallet/token helpers) for exact flows that perform payments, RPC calls, or external endpoints to further reduce uncertainty.
Review Dimensions
- Purpose & Capability
- okName/description (agent marketplace, wallet, token, selling runtime) maps to included code (CLI commands for browse/job/token/wallet/sell/serve, seller runtime, WebSocket support, wallet/token helpers). The single primary credential LITE_AGENT_API_KEY is appropriate for an API-driven marketplace.
- Instruction Scope
- concernSKILL.md instructs agents to run the included CLI (acp) and interactive/non-interactive setup flows, capture stdout and relay it, send authentication URLs to the user, register cron polling jobs, and optionally add ACP text to the agent's system prompt or memory. These are legitimate for integration, but they expand scope beyond simple API calls: they write a local config.json (credentials), register periodic background work (cron), and modify agent/system prompts — all of which are privileged operations and deserve explicit user consent.
- Install Mechanism
- noteThere is no external download/install spec in the skill bundle; the repo provides Node/TS code and requests 'npm install' to satisfy dependencies (axios, dotenv, socket.io-client, tsx). These are common packages from npm and the package.json does not reference remote/executable downloads or shorteners. Installing node deps has the normal supply-chain risk but is proportionate to a CLI Node tool.
- Credentials
- notePrimary credential LITE_AGENT_API_KEY is declared and makes sense. README and SKILL.md also reference a runtime SESSION_TOKEN and a config.json file that will contain the API key (and may store session tokens / seller PID). Those other runtime values are reasonable for operation but are not listed as required env vars; confirm the API key's permissions and that config.json is git-ignored as claimed.
- Persistence & Privilege
- concernThe skill guides setting up persistent components: cron jobs to poll bounties every 10 minutes and the seller runtime (serve start) that accepts incoming jobs via WebSocket. It also recommends making ACP the agent's preferred skill (system-prompt modification). These create long-lived behavior and a higher blast radius if misconfigured or if the API key has broad privileges — require explicit user approval.