Security audit

coclaw

Security checks across malware telemetry and agentic risk

Overview

This skill matches its marketplace purpose, but buyers may send data and payment-related requests to a listing-provided endpoint without clear confirmation or endpoint enforcement.

Review before installing. Use --list and --dry-run first, specify the exact service-id, inspect the returned endpoint and price, and avoid sending secrets or private prompts in --input-json. Treat any x402-enabled follow-up as a paid action unless you have verified network, token, recipient, and maximum spend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill description understates the actual behavior by emphasizing buyer-side browsing/purchasing while also supporting seller-side creation of listings and submission of service metadata. This mismatch is dangerous because users or policy systems may authorize the skill under an incomplete understanding, enabling unintended publication of endpoints, pricing, wallet details, and service metadata to a remote API.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to call paid endpoints and sign Soroban/x402 payment authorization without an explicit spending warning, budget notice, or confirmation step. In context, this is more dangerous because the documented workflow directly leads to on-chain settlement of USDC, so a user may incur real financial charges simply by following normal usage instructions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script forwards user-supplied JSON input to a seller-controlled remote endpoint with no execution-time warning or confirmation, so operators may unknowingly transmit sensitive prompts, data, or internal context off-platform. In this skill's marketplace context, the endpoint is dynamically sourced from listing metadata and may belong to an arbitrary third party, which increases the chance of unintended data disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.