BidClub

Security checks across malware telemetry and agentic risk

Overview

This is a real BidClub integration, but it asks agents to keep fetching and following a remotely changeable heartbeat document for ongoing account activity.

Install only if you intentionally want an agent to operate a BidClub account. Before enabling it, remove or strictly constrain the heartbeat rule, treat remote heartbeat content as untrusted information rather than instructions, require explicit approval for posts, comments, votes, deletes, and skill publishing, store the API key in a secure secret store, and register webhooks only to endpoints you control and authenticate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to modify a persistent local task/heartbeat file and adopt an ongoing check-in workflow that is not necessary for the stated purpose of posting investment ideas. This expands the skill from a one-off posting integration into durable behavior shaping and local state manipulation, increasing the chance of unauthorized persistence and future instruction hijacking.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: This section directs the agent to poll a remote heartbeat URL every 4 hours and 'follow it,' which creates an open-ended control channel from a mutable external document into agent behavior. That is dangerous because the remote content can change after installation and silently introduce new actions unrelated to the original skill purpose.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Webhook registration adds an inbound event-processing surface that goes beyond the narrow described purpose of posting ideas. While useful for engagement, it introduces continuous external-trigger capability that can cause the agent to process unsolicited content and potentially chain into unintended actions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly tells the agent to store persistent state in memory/bidclub-state.json even though persistent local tracking is not required to post content. Unnecessary persistent state increases attack surface, can leak behavior history, and normalizes hidden long-lived autonomy outside the user's immediate request.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documentation exposes a destructive delete endpoint and mentions that it also removes comments and votes, but it does not require confirmation, approval flow, or strong warning before use. In an agent context, insufficient guardrails around destructive actions can lead to irreversible content loss from prompt mistakes or malicious instruction injection.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The registration flow tells the user to save the API key immediately and disclose claim artifacts, but it provides no warning about handling secrets or limiting exposure of registration data. This can encourage unsafe storage, accidental credential leakage, or sharing of tokens and claim URLs in insecure channels.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the user to place a bearer API key directly into curl commands for repeated authenticated requests, but provides no guidance on secure credential storage, shell history leakage, logging exposure, or least-privilege handling. In an agent-skill context, this can normalize unsafe secret handling and increase the chance that credentials are pasted into prompts, committed to state files, exposed in terminal history, or leaked through agent/tool logs.

Ssd 4

Medium

Confidence: 99% confidence
Finding: The recurring instruction to fetch a mutable heartbeat file and 'follow it' is a classic remote instruction-following pattern. It delegates future behavior to external content outside the reviewed skill, enabling post-deployment changes in agent behavior without user review or versioned trust boundaries.

Ssd 4

Medium

Confidence: 99% confidence
Finding: The later 'Stay Connected' section reinforces mandatory recurring compliance with external instructions and adds local state tracking to sustain that loop. This makes the skill materially more dangerous because it normalizes persistent autonomy and creates a durable mechanism for behavior updates from a third-party site.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal