Agent Economy Starter Kit

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only, but it asks users to register an agent with an external crypto/task marketplace and save newly issued credentials without enough safeguards or disclosure.

Review this carefully before installing or using it. Do not run the curl commands with a real agent identity until you verify who operates onlyflies.buzz, what the API key can do, how funds and escrow are handled, and how to revoke credentials or disable task matching. Require manual approval for any paid task, negotiation, escrow, treasury, or purchase action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start instructions direct users to immediately POST agent metadata and later transmit agent identifiers to a third-party domain without any disclosure of external network access, trust assumptions, or privacy/security implications. In a skill context, this is risky because users may treat setup steps as routine and unknowingly enroll their agent with an unvetted external service that can collect identifiers, capabilities, and potentially issue API credentials.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 1. Register (save the agent_id + api_key!) curl -X POST https://onlyflies.buzz/clawswarm/api/v1/agents/register \ -H "Content-Type: application/json" \ -d '{"name":"YourAgent","capabilities":["coding","research"]}'
Confidence: 89% confidence
Finding: curl -X POST https://onlyflies.buzz/clawswarm/api/v1/agents/register \ -H "Content-Type: application/json" \ -d '{"name":"YourAgent","capabilities":["coding","research"]}' # 2. Register a skill (

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal