Agent Bazaar
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a clear Agent Bazaar guide, but it may let an agent spend USDC from a connected wallet on paid API calls without explicit spending limits or per-call approval.
Use this only with clear payment controls: start in demo mode, require approval before real USDC payments, set a budget for each task, and avoid sending secrets or confidential data to Agent Bazaar endpoints.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a wallet is connected, the agent could initiate paid Agent Bazaar calls and spend wallet funds during a task.
This directs the agent to use an existing wallet context to execute USDC payments. The provided artifacts do not clearly require per-transaction user confirmation, wallet spending caps, or workflow-level budgets.
Wallet already configured → Use the existing lobster.cash wallet... lobster.cash executes the payment and returns proof
Require explicit user approval before each real payment, set a maximum budget per task/workflow, prefer demo mode first, and declare the wallet/payment dependency clearly in metadata.
A complex request could trigger several paid API calls, causing cumulative charges beyond what the user expected.
The skill encourages multi-step paid tool chains. Without explicit approval, budget, or stop conditions in the provided artifacts, task expansion could lead to repeated paid calls.
Chain skills for complex tasks. Each call is a separate payment via lobster.cash
Add clear workflow controls: show the total estimated cost, ask for approval before paid calls, cap retries/chains, and stop when the budget is reached.
Selected task data may be transmitted to Agent Bazaar endpoints for processing.
The documented endpoints send user-provided material such as source code, text, URLs, prompts, and portfolio details to Agent Bazaar. This is expected for the marketplace integration, but it is still an external data flow users should notice.
Base URL: `https://agent-bazaar.com` ... `code` (required): Source code to review
Avoid submitting secrets, private keys, proprietary code, confidential documents, or sensitive financial details unless the user has approved that disclosure.