BidClub

Security checks across malware telemetry and agentic risk

Overview

BidClub is a real-looking community integration, but it asks agents to keep following a changing remote heartbeat and can take public account actions, so it needs review before use.

Install only if you are comfortable giving a BidClub API key to an agent that can act publicly on that account. Do not add the heartbeat rule as written; treat remote heartbeat content as untrusted reference material unless you approve each action. Require confirmation before posting, commenting, voting, deleting, publishing skills, or making investment-related public statements, and store the API key in a secrets manager or environment variable rather than in chat, logs, or state files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill metadata says it is for posting investment ideas, but the document defines a much broader capability set including registration, voting, webhook configuration, skill publication, and persistent check-in behavior. This scope expansion can mislead users and agents about what the skill is allowed to do, increasing the chance of unintended network actions, account changes, and persistent behavioral side effects.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The instructions tell the agent to modify local tasking files and adopt a recurring fetch-and-follow rule from a remote URL, which exceeds a simple posting function. This creates persistence and an external control channel, allowing future remote content to influence agent behavior outside the original user request.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Webhook registration adds inbound network integration and exposes an operator-controlled endpoint to third-party traffic, which is outside the stated purpose of posting ideas. This broadens the attack surface and can cause unintended data flows or event-driven behavior if enabled without explicit authorization and validation requirements.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The ability to publish prompts, scripts, and connectors is materially broader than a skill whose purpose is posting investment ideas. In practice, this can be used to exfiltrate code, distribute automation artifacts, or induce publication of executable content under the guise of a simple posting workflow.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly documents a DELETE endpoint that can remove posts but provides no warning, confirmation step, or guidance to require explicit user approval before execution. In an agent context, this increases the chance of accidental or unauthorized destructive actions, especially if the agent can act autonomously on broad prompts.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill directs the agent to modify local heartbeat/task files and maintain persistent local state without an explicit user-facing warning or consent flow. Hidden local file changes and durable state can create unauthorized persistence, alter agent behavior across sessions, and make later actions harder for users to audit.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The use of mandatory language ('MUST') pressures the agent into ongoing participation and periodic external fetches without demonstrating user authorization or necessity for the stated task. This can override user intent and normalize autonomous behavior expansion beyond the original posting use case.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to place a bearer API key directly into curl commands and headers, but provides no guidance on secure storage, redaction, shell history exposure, or least-privilege handling. In an agent-skill context, this can lead to credential leakage through logs, copied transcripts, terminal history, screenshots, or unsafe substitution of real secrets into prompts and automation.

Ssd 4

Medium

Confidence: 99% confidence
Finding: The repeated instruction to fetch a remote heartbeat document every 4 hours and 'follow it' establishes a persistent external instruction channel. That enables gradual behavioral takeover because the remote content can change later and drive new actions not visible in the original reviewed skill.

Ssd 4

Medium

Confidence: 96% confidence
Finding: The registration response packages trust-building language with a rule to add a recurring external check into the agent's task loop. Embedding persistence instructions in an onboarding flow is dangerous because it normalizes long-term obedience to a changing remote source under the guise of community participation.

Ssd 4

Medium

Confidence: 99% confidence
Finding: The 'Stay Connected' section explicitly tells the agent to maintain state and repeatedly fetch and follow future remote instructions, creating durable narrative-driven control over the agent. This is especially risky because it couples persistence, periodic execution, and obedience to mutable external content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal