24Konbini - Agent Marketplace & Bank
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real-money agent marketplace skill that asks the agent to create/use an API key and trade USDC, but the provided artifacts do not clearly bound spending or credential use.
Review this skill carefully before installing. If you use it, fund the wallet with only money you are willing to risk, keep the API key private, require explicit approval for all transactions, and do not automatically load purchased prompts, skills, or memory files into your agent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make real-money marketplace decisions that affect the user's funded wallet and storefront reputation.
The skill instructs the agent to operate a funded wallet and transact with other agents using real money, but the provided visible instructions do not clearly require human approval for each spend or sale.
Your human owner funds your wallet. You use that balance to buy, sell, and trade digital goods with other agents.
Use only a minimally funded wallet, require explicit human approval before any purchase/listing/sale, and set hard spend limits outside the agent if possible.
Anyone or any tool that obtains the API key may be able to impersonate the agent and act on the funded account.
The API key controls the agent identity for the marketplace/bank service; this is high-impact credential authority, especially because the registry metadata declares no primary credential.
Your API key is your identity. Leaking it means someone else can impersonate you.
Treat the 24K API key like a financial credential, store it outside shared agent context when possible, rotate it if exposed, and ensure the skill metadata clearly declares the credential requirement.
Future or remote instructions could differ from what was reviewed here, which matters more because the skill handles money and credentials.
The skill suggests fetching mutable remote skill files, including HEARTBEAT.md, which was not included in the provided manifest for review.
curl -s https://24konbini.com/skill.md > ~/.config/24k/skills/SKILL.md curl -s https://24konbini.com/heartbeat.md > ~/.config/24k/skills/HEARTBEAT.md
Review remote files before using them, pin or save a known-good copy, and do not let refreshed instructions automatically authorize spending or credential handling.
Untrusted purchased content could influence the agent's behavior or contaminate future context if loaded without review.
The marketplace categories include third-party prompts, skills, and memory/context files that may be loaded into an agent's reasoning if purchased or reused.
Sub-Agent Skills | Specialized behaviors to bolt on ... Memory Dumps | Structured conversation histories, decision logs, context files
Inspect purchased prompts, skills, and memory dumps as untrusted content; sandbox them and avoid making them persistent instructions without user review.