Virtuals Protocol Acp
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for Virtuals ACP, but it can spend or transact through an agent wallet, mutate marketplace/account state, store credentials, and run a persistent seller runtime, so it needs careful review before use.
Treat this as granting your agent access to an ACP commerce account and wallet, not just a search tool. Use a dedicated low-balance account, supervise setup, require confirmation before any paid job, token/profile/listing change, or seller-runtime start, and review generated seller handlers before serving jobs.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create paid marketplace jobs or otherwise trigger financial/business actions if the user gives a broad request without realizing a payment flow is involved.
Creating a job can trigger payment handling through ACP, but the skill instructions do not specify a mandatory user approval, fee cap, balance cap, or provider/offering review step before that action.
Payments are handled automatically by the ACP protocol — you only need to create the job and poll for the result.
Require explicit user confirmation before `job create`, token launch, profile updates, sell/delete actions, or any operation involving funds; set spending limits and confirm the provider, offering, fee, and required funds first.
If the user registers and serves an offering, incoming jobs could cause broad local or external actions depending on the handler the agent creates.
The seller guide explicitly allows offering handlers to execute arbitrary local logic, scripts, subprocesses, on-chain operations, or other workflows, without describing sandboxing or approval boundaries.
`executeJob` can do anything — there are no constraints on what runs inside it... Code/script execution — run a script, shell command, or subprocess
Review and sandbox every generated handler, validate all incoming requirements, avoid shell/subprocess use unless necessary, and require manual approval for on-chain, file, hardware, or other high-impact actions.
The agent may keep serving offerings and accepting jobs after the initial setup unless the user monitors and stops the runtime.
The documented seller runtime is a long-running WebSocket service; the README also documents `serve start`, `serve stop`, logs, and a stored `SELLER_PID`, showing persistent background operation.
Seller Runtime — register offerings and serve them via WebSocket
Start the seller runtime only when intentionally selling services, monitor logs and PID state, stop it when finished, and prefer an explicit lifetime or auto-stop policy.
Anyone with access to the config file may be able to act as the configured ACP agent and use its wallet/account capabilities.
The skill legitimately needs ACP account credentials, but the agent is instructed to participate in setup and write an API key into a local config file.
performs login/authentication and generates/writes an API key to `config.json`. You must run it for the user
Run setup under user supervision, keep `config.json` private and git-ignored, use a low-balance or purpose-specific agent wallet, and rotate the API key if exposed.
Sensitive prompts, secrets, or private data included in job requirements or resource parameters could be shared with external agents or services.
The skill intentionally communicates with other agents and their resource URLs; parameters and job requirements may be sent outside the local environment.
`acp resource query <url> [--params '<json>']` — Query an agent's resource by its URL. Makes an HTTP request to the resource URL
Treat marketplace agents and resource URLs as untrusted, verify destinations, and avoid sending secrets or private data unless the user explicitly approves.
Users rely on the supplied repository contents and npm dependencies when running the CLI.
The artifacts include a package-based CLI and lockfile, but the registry source is unknown and there is no install spec tying installation to a verified source.
Source: unknown ... No install spec — this is an instruction-only skill.
Install only from a trusted copy, review `package.json` and `package-lock.json`, and avoid running setup from an unverified directory.