ClawHub

Virtuals Protocol Acp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real ACP commerce CLI, but it gives an agent broad wallet, marketplace, token, arbitrary URL, and background seller-runtime authority with incomplete safeguards.

Install only if you intend to let an agent participate in ACP commerce. Treat config.json as a secret, do not commit or share it, confirm any token launch or paid job action yourself, avoid sending secrets in resource query parameters, and run the seller runtime only with reviewed handlers and clear stop/logging practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill directs the agent to use a CLI that performs network operations and accesses credentials via environment/config, but the skill metadata does not declare corresponding permissions. This can undermine platform trust and informed consent because users and orchestrators cannot accurately assess what external access the skill requires before use.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference expands the skill from ACP marketplace/job orchestration into arbitrary URL fetching via `acp resource query <url>`, effectively enabling direct outbound HTTP requests to provider-supplied endpoints. This creates SSRF/privacy risks and capability creep: an agent may contact untrusted infrastructure, leak metadata or query parameters, and access URLs not constrained to ACP-verified resources.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The scaffolded handlers template exports `requestPayment`, but the validator enforces `requestAdditionalFunds` when `requiredFunds` is true. This mismatch can cause developers to create offerings that appear correctly scaffolded yet fail validation or omit the intended funds-request handler, leading to broken payment flows and potentially unsafe assumptions about how additional funds are requested.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code builds a filesystem path from the caller-controlled offeringName and then dynamically imports handlers.ts from that location, which executes module top-level code on load. Because there is no validation that offeringName is one of the enumerated offering directories or that the resolved path stays within the intended offerings root, an attacker who can influence this value may trigger loading of unintended local code, broadening the skill into arbitrary plugin execution rather than merely selecting a known offering.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that sensitive credentials such as an API key and session token are stored in a local `config.json`, but it does not warn users to protect that file, restrict permissions, avoid sharing it in support bundles, or prevent accidental exposure through logs and backups. In a skill designed for AI agents that can transact, manage wallets, launch tokens, and operate seller runtimes, compromise of these credentials could enable account takeover, unauthorized marketplace actions, and misuse of the agent's commercial identity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to run setup that writes an API key into a repo-local config.json, but it does not warn about credential persistence, local exposure, accidental commits, or multi-user workspace access. Storing long-lived secrets in the repository directory increases the chance of leakage through source control, logs, backups, or other tools operating on the repo.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises acp resource query as making HTTP requests to arbitrary resource URLs with optional user-supplied parameters, but it does not warn that those parameters may be transmitted to third-party services. This creates a privacy and data-handling risk, especially if an agent includes sensitive prompts, identifiers, or internal data in the request.

Missing User Warnings

High
Confidence
97% confidence
Finding
The token launch command is presented as a normal profile/action workflow without a prominent warning that it can create a real on-chain asset and trigger irreversible financial, legal, and reputational consequences. In this skill's marketplace and wallet context, an agent could initiate token issuance or related spending behavior without the level of user confirmation appropriate for high-risk financial operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The seller runtime is described as automatically accepting, processing, and delivering job results by executing handlers, but the skill does not warn that enabling it authorizes autonomous external actions and potentially continuous processing of third-party requests. In this context, that increases the risk of unintended transactions, data disclosure, abuse of local code paths, or unattended operation beyond the user's expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The resource-query guidance tells agents to send GET requests directly to provider-supplied URLs without warning that this exposes the caller's IP, headers, timing, and any query parameters to third parties. In this skill context, providers are discovered dynamically from a marketplace, so querying their resources can leak sensitive prompts, identifiers, portfolio data, or other user-linked information to untrusted external services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly encourages implementers to build offerings that can run scripts, shell commands, subprocesses, file operations, API calls, and on-chain fund-moving actions, but it does not pair that guidance with baseline security constraints, consent requirements, input validation expectations, or warnings about arbitrary code execution and asset-handling risk. In a marketplace where other agents can automatically discover and invoke services, this omission materially increases the chance that unsafe handlers will be exposed and abused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The resource registration flow allows agents to register external URLs and have them queried via GET, but the guide does not warn that request parameters may be sent to third-party services, logged in URLs, or used to contact attacker-controlled endpoints. This creates avoidable privacy, SSRF, and data-exfiltration risk, especially if agents pass sensitive prompts, identifiers, or internal metadata as query parameters.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command logs the full contents of user-supplied query parameters before making the request. If params contain secrets, tokens, API keys, wallet addresses, internal identifiers, or other sensitive runtime data, those values may be exposed in terminal output, logs, CI artifacts, or shared agent transcripts. In this skill's context, which performs networked agent commerce and resource access, parameters are especially likely to include sensitive identifiers or credentials, making the issue more dangerous than a generic CLI logger.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow stores the agent API key in local config.json and even notes it was saved, but there is no explicit warning, consent step, or protection mechanism around storing a long-lived credential on disk. If the local filesystem, repo workspace, backups, or logs are exposed, an attacker could recover the key and impersonate the agent for ACP actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`activateAgent` persists the provided API key into `config.json` and also stores it as the global `LITE_AGENT_API_KEY`, leaving long-lived credentials at rest in the repo root. If the file is read by another local user, included in backups, or accidentally committed, marketplace/agent credentials could be exposed and abused.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The function launches the user's default browser via a shell command without any user-facing confirmation, and the URL is interpolated directly into the command string. In this skill's context, opening marketplace or ACP-related links can trigger unwanted navigation, phishing exposure, or abuse of custom URI handlers, making the behavior more dangerous than a purely local utility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The runtime logs `clientAddress` and the full serialized `context` for every incoming job, which can expose sensitive user/job metadata to local logs, centralized log collectors, or shared hosting environments. In this skill, the risk is elevated because ACP jobs may contain transaction-related details, agent-to-agent business data, or other marketplace information that operators may not intend to retain or disclose.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"seller:check": "tsx bin/acp.ts serve status"
  },
  "dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
Confidence
86% confidence
Finding
"axios": "^1.13.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
  "devDependencies": {
Confidence
82% confidence
Finding
"dotenv": "^16.4.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
  "devDependencies": {
    "tsx": "^4.19.2",
Confidence
87% confidence
Finding
"socket.io-client": "^4.8.1"

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.13.4

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal