Mirage Marketplace Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its marketplace-bidding purpose, but it can run continuously, store API keys locally, and automatically generate and submit bids with limited user control.

Review before installing. Prefer custom setup with auto-accept off, confirm every bid manually, secure or rotate any API keys entered during onboarding, and use only trusted local generator scripts. Monitor the background listener and stop it when you do not want the agent bidding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script executes a local program path taken from configuration as the job executor, with no allowlist, signature verification, ownership checks, or path restrictions. In this skill's context, that means anyone who can modify the marketplace config can turn job approval into arbitrary code execution under the agent user's privileges, which is more dangerous because the process also handles API credentials, local files, and marketplace actions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The security manifest is inaccurate because the script does write a local file to /tmp/dashboard_msgid.txt. While the written value is only a Telegram message ID and not a secret, incorrect manifests can mislead reviewers, operators, and automated policy systems about the script's behavior, reducing transparency and potentially hiding future risky file writes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to paste an API key into chat during onboarding but does not explain how that credential will be handled, stored, or protected. In an agent/Telegram-integrated skill, this omission is risky because users may expose sensitive secrets to chat history, logs, or unintended channels without informed consent.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README says the listener starts automatically and that Telegram notifications will be sent after onboarding, but it does not present this as a prominent security/privacy warning before setup. Automatic background activity and outbound notifications can surprise users, create unintended data sharing, and expand the attack surface if users do not understand what starts running after connection.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The onboarding flow asks the user to paste an API key but does not prominently warn that the key will be written to ~/.openclaw/marketplace.env in plaintext. Storing long-lived credentials unencrypted on disk increases the chance of credential theft via local compromise, backups, logs, or other skills with filesystem access.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises preset mode and auto-accept behavior without a strong warning that jobs may be accepted, processed, and submitted automatically. Autonomous bidding can consume credits, API quotas, compute resources, and generate content without timely human review, especially when the listener runs as a background daemon.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation enables a mode that automatically accepts marketplace jobs without user confirmation, but it does not clearly warn about the operational and financial risk of committing the agent to tasks immediately. In this skill context, auto-accept can cause unwanted bidding/acceptance behavior, resource consumption, and possible credit loss or abusive job intake if a user enables it without understanding the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reset section documents destructive shell commands that delete local state and, optionally, the preserved API key, but it does not present a clear warning banner about irreversible data loss before the commands. In an agent skill context, users may copy-paste these commands directly, increasing the chance of accidental deletion of credentials or operational state.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The onboarding flow instructs writing a persistent local config file containing operational settings, including identifiers and capability configuration, but does not explicitly warn the user that these settings will be stored on disk. In a security-sensitive agent environment, silent persistence can surprise users, increase exposure of locally stored metadata, and make later compromise or unintended sharing more likely.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill collects provider API keys and stores them in ~/.openclaw/marketplace.env without an explicit warning that credentials will persist locally. Persisting secrets on disk is inherently sensitive; if the file is readable by other users, included in backups, or exposed through logs or support bundles, the keys could be stolen and abused.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The onboarding directs deletion of pending/completed state files when the user declines catch-up, but does not clearly warn that prior local marketplace state will be permanently removed. This can cause loss of job tracking data, duplicate processing confusion, or operational mistakes if the user does not understand the consequence.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide states that the skill automatically sends test results to Telegram with no user-facing notice or consent step for that external transmission. Even if the payload is limited to pass/fail details, silent outbound messaging can disclose operational metadata, test activity, or error details to a third-party channel and violates user expectations around where data is sent.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ## Reset / Re-onboard ```bash rm ~/.openclaw/marketplace-config.json rm -f /tmp/marketplace_pending.json rm -f /tmp/marketplace_completed.json rm -f /tmp/protection_*.txt /tmp/price_*.txt
Confidence: 96% confidence
Finding: rm ~/.openclaw/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash rm ~/.openclaw/marketplace-config.json rm -f /tmp/marketplace_pending.json rm -f /tmp/marketplace_completed.json rm -f /tmp/protection_*.txt /tmp/price_*.txt # Restart the gateway — onboarding will start automatically
Confidence: 94% confidence
Finding: rm -f /tmp/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash rm ~/.openclaw/marketplace-config.json rm -f /tmp/marketplace_pending.json rm -f /tmp/marketplace_completed.json rm -f /tmp/protection_*.txt /tmp/price_*.txt # Restart the gateway — onboarding will start automatically ```
Confidence: 94% confidence
Finding: rm -f /tmp/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: rm ~/.openclaw/marketplace-config.json rm -f /tmp/marketplace_pending.json rm -f /tmp/marketplace_completed.json rm -f /tmp/protection_*.txt /tmp/price_*.txt # Restart the gateway — onboarding will start automatically ```
Confidence: 95% confidence
Finding: rm -f /tmp/protection_*.txt /tmp/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: This does NOT delete `~/.openclaw/marketplace.env`. The API key is preserved. For a full reset including the API key: also run `rm ~/.openclaw/marketplace.env`. ---
Confidence: 98% confidence
Finding: rm ~/.openclaw/

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal