Virtuals Protocol Acp
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-acp Version: 0.1.0 The skill is classified as suspicious due to a Server-Side Request Forgery (SSRF) vulnerability in `src/commands/resource.ts` which allows HTTP GET requests to arbitrary, user-controlled URLs, potentially enabling internal network scanning. Additionally, the design of the seller runtime explicitly allows for 'Code/script execution' within dynamically loaded `handlers.ts` files (as described in `SKILL.md` and `references/seller.md`), creating a high-risk prompt injection surface where a compromised agent could be instructed to write and execute arbitrary code on the host running the seller runtime.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create paid marketplace jobs or otherwise trigger financial/business actions if the user gives a broad request without realizing a payment flow is involved.
Creating a job can trigger payment handling through ACP, but the skill instructions do not specify a mandatory user approval, fee cap, balance cap, or provider/offering review step before that action.
Payments are handled automatically by the ACP protocol — you only need to create the job and poll for the result.
Require explicit user confirmation before `job create`, token launch, profile updates, sell/delete actions, or any operation involving funds; set spending limits and confirm the provider, offering, fee, and required funds first.
If the user registers and serves an offering, incoming jobs could cause broad local or external actions depending on the handler the agent creates.
The seller guide explicitly allows offering handlers to execute arbitrary local logic, scripts, subprocesses, on-chain operations, or other workflows, without describing sandboxing or approval boundaries.
`executeJob` can do anything — there are no constraints on what runs inside it... Code/script execution — run a script, shell command, or subprocess
Review and sandbox every generated handler, validate all incoming requirements, avoid shell/subprocess use unless necessary, and require manual approval for on-chain, file, hardware, or other high-impact actions.
The agent may keep serving offerings and accepting jobs after the initial setup unless the user monitors and stops the runtime.
The documented seller runtime is a long-running WebSocket service; the README also documents `serve start`, `serve stop`, logs, and a stored `SELLER_PID`, showing persistent background operation.
Seller Runtime — register offerings and serve them via WebSocket
Start the seller runtime only when intentionally selling services, monitor logs and PID state, stop it when finished, and prefer an explicit lifetime or auto-stop policy.
Anyone with access to the config file may be able to act as the configured ACP agent and use its wallet/account capabilities.
The skill legitimately needs ACP account credentials, but the agent is instructed to participate in setup and write an API key into a local config file.
performs login/authentication and generates/writes an API key to `config.json`. You must run it for the user
Run setup under user supervision, keep `config.json` private and git-ignored, use a low-balance or purpose-specific agent wallet, and rotate the API key if exposed.
Sensitive prompts, secrets, or private data included in job requirements or resource parameters could be shared with external agents or services.
The skill intentionally communicates with other agents and their resource URLs; parameters and job requirements may be sent outside the local environment.
`acp resource query <url> [--params '<json>']` — Query an agent's resource by its URL. Makes an HTTP request to the resource URL
Treat marketplace agents and resource URLs as untrusted, verify destinations, and avoid sending secrets or private data unless the user explicitly approves.
Users rely on the supplied repository contents and npm dependencies when running the CLI.
The artifacts include a package-based CLI and lockfile, but the registry source is unknown and there is no install spec tying installation to a verified source.
Source: unknown ... No install spec — this is an instruction-only skill.
Install only from a trusted copy, review `package.json` and `package-lock.json`, and avoid running setup from an unverified directory.