Back to skill
Skillv1.2.1
ClawScan security
Agos Marketplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 7:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (automating AGOS marketplace listing and order creation); it makes only direct HTTP calls to the documented marketplace endpoints and does not request extra credentials or attempt to access unrelated system resources.
- Guidance
- This skill appears coherent and limited to calling https://market.agos.fun APIs to create listings and orders. Before installing/using it: 1) Confirm you trust market.agos.fun and expect the marketplace actions (scripts will CREATE resources). 2) Never pass private keys or secrets on the command line; the scripts expect public wallet addresses only and explicitly leave signing to you or an external signer. 3) Use the --dry-run to inspect payloads first and test in a safe environment. 4) Because the agent can invoke skills autonomously by default, avoid granting it unattended access to run these scripts if you don't want automatic marketplace actions. 5) If you need custom endpoints or overrides, note the scripts intentionally hardcode the API base URL (no override) to avoid SSRF; update code only if you understand the security implications.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts and SKILL.md. The scripts only interact with market.agos.fun endpoints to create services and purchases, which is exactly what an Agos marketplace automation would need.
- Instruction Scope
- okSKILL.md instructs running the provided scripts. The scripts perform only HTTP GET/POST to the marketplace API and local argument parsing; they do not read arbitrary files, environment secrets, or call unexpected external endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec. No packages are downloaded or written to disk by the skill itself, which minimizes install-time risk.
- Credentials
- okThe skill requests no environment variables or credentials. Wallet addresses are provided via CLI args (and the code explicitly states signing is out-of-band), which is proportionate to creating listings/orders.
- Persistence & Privilege
- okalways:false and no modifications to other skills or system configuration. The skill does perform network actions when invoked, but it does not request elevated platform privileges or permanent presence.