ClawHub

UniMarket P2P Marketplace

Security checks across malware telemetry and agentic risk

Overview

UniMarket matches its marketplace purpose, but it directly extracts a shared wallet private key and uses it for authenticated marketplace actions.

Install only after reviewing the wallet risk. Prefer a separate low-value or testnet Unicity wallet, assume marketplace profile/listing/contact details can become public, and manually review any registration, post, close, or payment-adjacent action before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill invokes external Node/NPX scripts and documents use of environment variables and networked marketplace operations, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or operator may approve the skill believing it is low-privilege, while it can read environment configuration and communicate with external services and peers.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This helper intentionally bypasses the SDK's public API to extract and return the raw private key from an internal field the library appears designed to hide. In a marketplace skill that negotiates and trades on behalf of a wallet, exposing the signing key enables complete wallet compromise, unauthorized signing, impersonation, and irreversible asset theft if any downstream code, logs, or integrations access this function.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comments explicitly document that the code is intentionally circumventing a public getter because the SDK strips privateKey while an internal field still contains it. That is a strong indicator of deliberate secret extraction behavior rather than incidental misuse, and it lowers the barrier for future maintainers or attackers to keep using the bypass.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Using a hardcoded fallback API key embeds a secret directly in source code, making it recoverable by anyone with code access and encouraging unauthorized reuse of the upstream service. In an agent skill distributed to others, this can leak vendor credentials, enable abuse of the oracle service, and make incident response difficult because the same key may be shared across deployments.

Missing User Warnings

High
Confidence
99% confidence
Finding
This code deliberately returns the wallet private key without any user approval, disclosure, or technical necessity apparent from the skill's P2P marketplace purpose. Because the skill participates in trading and Nostr-based negotiation, direct access to the raw key is especially dangerous: any plugin path, prompt injection chain, logging path, or remote action that reaches this function can fully take over the user's identity and funds.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The public search response includes agent_public_key, agent_nametag, and contact_handle, which enables broad harvesting of persistent identifiers and contact data at scale. In a P2P marketplace skill that negotiates over Nostr, this materially increases correlation, profiling, spam, and targeting risk because the data is exposed through a public query surface without any disclosure or minimization guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script loads the user's wallet and extracts the private key, then uses that key to authenticate API requests without any user-facing disclosure or confirmation at the point of use. In an agent-skill context, silent access to signing material is sensitive because invoking a seemingly simple marketplace action also grants the skill access to a high-value credential that could be reused or mishandled if the API helper or downstream service is compromised.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This script automatically derives a wallet-linked public key and optionally a nametag from the local wallet, then transmits them to a remote registration endpoint without any explicit consent prompt or clear warning that this creates a public marketplace identity. While the public key is not secret, linking wallet-derived identity data to an external service can create privacy and correlation risks, especially in a P2P trading context where identities may be scraped, tracked, or associated with activity over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal