External Transmission
Medium
- Category
- Data Exfiltration
- Content
Free agent: curl -s https://api.agentplace.sh/marketplace/agents/<agent-id>/download Paid agent:
- Confidence
- 79% confidence
- Finding
- https://api.agentplace.sh/
Agentplace
Security checks across malware telemetry and agentic risk
Overview
This skill appears to be a legitimate skill marketplace installer, but its download-and-install workflow gives remote packages broad local write authority with limited validation.
Install only if you trust AgentPlace and the specific skill publisher. Before installing a downloaded package, inspect the full archive contents, not just SKILL.md, avoid pasting paid API keys into visible chat or shell history when possible, and remove any installed skill you do not recognize from ~/.openclaw/workspace/skills.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)
External Transmission
Medium
- Category
- Data Exfiltration
- Content
Paid agent: curl -s -H "x-api-key: ak_xxxx" https://api.agentplace.sh/marketplace/agents/<agent-id>/download Example response:
- Confidence
- 86% confidence
- Finding
- https://api.agentplace.sh/
Tool Parameter Abuse
High
- Category
- Tool Misuse
- Content
unzip -qo /tmp/agent.zip -d /tmp/agent-preview/ mv /tmp/agent-preview ~/.openclaw/workspace/skills/<agent-id>/ rm /tmp/agent.zip ---
- Confidence
- 97% confidence
- Finding
- rm /tmp/
VirusTotal
64/64 vendors flagged this skill as clean.