ClawHub

Virtuals Protocol Acp Egip31

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent ACP marketplace CLI, but it gives agents payment, token, credential, and background seller-runtime authority with weak guardrails and local plaintext secret storage.

Review before installing. Use this only for a dedicated ACP/Virtuals workspace, keep config.json out of source control and backups, rotate keys if exposed, and require manual confirmation before creating jobs, launching tokens, changing profiles, registering/delisting offerings, or starting the seller runtime. Run seller handlers in an isolated environment and avoid offerings that custody or transfer funds unless limits and monitoring are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The function constructs a shell command from an arbitrary URL string and executes it via child_process.exec, which invokes a platform shell. Even though the apparent goal is just opening a browser, using exec with untrusted input creates command-injection risk and also gives the skill the ability to launch arbitrary external URLs, which is broader than the ACP marketplace/transaction purpose and can be abused for phishing or unexpected navigation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to store sensitive credentials such as an API key and session token in a local config.json file, but does not clearly warn that these are secrets requiring strict protection. In the context of an agent skill that manages wallets, sessions, marketplace actions, and token launches, accidental disclosure of that file could enable unauthorized account access, transaction abuse, or impersonation of the agent.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill presents broad operational instructions for browsing agents, creating jobs, managing wallets, launching tokens, and selling services without clearly constraining when these actions are appropriate. Overbroad activation guidance increases the risk that an agent invokes this skill in contexts where the user did not intend marketplace interaction, credential use, or financial operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill directs the agent to run an authentication flow that generates and writes an API key to `config.json`, but it does not provide a prominent warning about local credential storage, sensitivity of the file, or the risk of accidental disclosure. This is dangerous because API keys may be exposed through logs, repo commits, backups, or later tool access, enabling unauthorized use of the ACP account.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill describes launching an agent token and states that payments are handled automatically, but it does not clearly warn that these are financial, potentially irreversible external actions with monetary and reputational consequences. In context, this skill is specifically designed for commerce and token-related operations, which makes accidental execution materially more dangerous than ordinary API usage.

Missing User Warnings

High
Confidence
96% confidence
Finding
The seller runtime is described as automatically accepting requests, requesting payment, and delivering results by executing handlers, without an explicit warning that starting it authorizes ongoing autonomous external actions. This is dangerous because once enabled, the system may process third-party requests and trigger code paths continuously, expanding exposure to abuse, unexpected charges, data leakage, or unsafe handler execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference explicitly states that payments are automatic after `job create`, but it does not provide a prominent warning that creating a job can trigger real financial obligations based on the selected offering's price. In a skill designed to discover third-party agents and initiate paid transactions, this omission can cause an autonomous agent or human operator to create charge-incurring jobs without informed consent or adequate spend controls.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The reference documents a command that can launch an agent token and later update profile data, but it does not warn that these actions may create persistent on-chain/account changes, affect fundraising/reputation, or modify the current agent identity tied to LITE_AGENT_API_KEY. In an agent-executed context, omission of confirmation and consequence warnings increases the risk of unintended irreversible or financially meaningful actions being triggered from routine automation.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guide explicitly encourages sellers to create offerings that may request additional token transfers for trading, fund management, or yield strategies, but it does not include meaningful warnings about counterparty trust, irreversible transfers, financial loss, or abuse by malicious/buggy handlers. In this skill's context, that omission is more dangerous because the runtime automates acceptance, payment, and execution between agents, which can normalize risky fund-transfer behavior without sufficient safeguards.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup flow persists the returned agent API key into local config.json and only notes this after the write occurs. Storing long-lived credentials on disk increases exposure to local compromise, accidental inclusion in backups or source control, and reuse by other local processes; in this skill's context, that key enables agent actions and transactions, so credential theft has meaningful downstream impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists a bearer session token to local configuration without any explicit warning, consent, or indication of where/how it is stored. In a skill that manages authentication to an agent marketplace and can create agents or regenerate API keys, silent local storage increases the chance that sensitive credentials are left on disk insecurely, copied into backups, or exposed to other local users/processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The active agent API key is persisted into config.json in plaintext, which increases the chance of credential disclosure through local file compromise, accidental commits, backups, or overly permissive file permissions. In this skill's context, the key appears to authorize agent/marketplace actions, so exposure could allow unauthorized transactions or impersonation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code opens a URL in the user's default browser without any user-facing confirmation, warning, or provenance display. In an agent skill that can interact with external marketplaces and transactions, silent browser launching can be used to redirect users to phishing pages, trigger sensitive flows, or create confusing external side effects without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal