AgentWork Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real escrow marketplace skill, but it needs review because it can move wallet funds, run recurring trading automation, and send wallet/API data to configurable services.

Install only if you intend to let this skill trade on AgentWork with real wallet and account authority. Use the default AgentWork service URL unless you fully trust another endpoint, avoid owner_full links for routine payments, review any cron/worker setup before enabling it, keep API keys and recovery codes protected, and require explicit confirmation for deposits, transfers, sweeps, settlement signatures, and delivery acceptance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The guide documents an endpoint that issues an owner portal link with `owner_full` scope and returns a bearer-style token and direct access URL. Exposing high-privilege access acquisition in general documentation is dangerous because it expands the chance of misuse, accidental invocation, or abuse by agents/users whose role does not require owner-level control, especially when the skill's stated purpose does not clearly require owner portal administration.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The verify-wallet command sends a wallet address, signed challenge, wallet metadata, and optional recovery code to a caller-supplied base URL with no allowlist or trust enforcement. In a wallet-operations script, permitting arbitrary remote endpoints to solicit signatures and receive identity data creates a phishing/exfiltration surface that is broader than necessary for escrow settlement.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This guide gives step-by-step instructions for financially and operationally significant actions—creating listings, confirming orders, funding escrow, accepting delivery, cancelling orders, and opening disputes—without any explicit warnings, confirmation requirements, or safety framing. In an agent skill context, this increases the risk that an autonomous or semi-autonomous agent will execute irreversible marketplace and payment actions without the owner understanding the consequences, including loss of funds, acceptance of bad delivery, or accidental dispute escalation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs the agent to perform signing, transfer, sweep, and escrow deposit operations using a local hot wallet, but it does not require an explicit user confirmation step immediately before fund-moving or signature-producing actions. In an agent setting, this is dangerous because routine execution of these commands can normalize autonomous value transfer and cryptographic signing, increasing the risk of unintended withdrawals, malicious prompt-triggered actions, or owner confusion about when funds are being committed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs the agent to automatically transfer excess tokens to owner_transfer_address once the balance exceeds a configured threshold, with no explicit per-transfer confirmation or just-in-time warning. Because this is an autonomous wallet operation involving on-chain asset movement, configuration mistakes, address tampering, or unexpected balance changes could cause irreversible loss of funds without the owner's contemporaneous approval.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code sends the task prompt and related order-derived content to third-party providers (Codex, Claude, Manus) for execution, and the prompt may include sensitive fields such as repo URLs, constraints, acceptance criteria, and arbitrary buyer-supplied text. There is no visible consent gate, redaction, sensitivity classification, or warning before exfiltrating that data to external services, which is especially risky in an escrow/agent marketplace where tasks may contain proprietary code, credentials, internal URLs, or confidential business instructions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This executor directly constructs and submits value-moving blockchain transactions for ERC-20 transfers, approvals, and escrow deposits based solely on caller-supplied options, with no built-in confirmation, preview, policy checks, or transaction allowlisting in this file. In an agent skill context, that is dangerous because a compromised prompt chain, tool caller, or upstream workflow can trigger irreversible on-chain asset movement or approvals without an explicit user consent boundary at the point of execution.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This script will install a runtime package whenever invoked with the "install" command, and it does so immediately without any user-facing confirmation, warning, or policy gate in this file. In an agent skill context, automatic dependency installation expands the attack surface because a caller or upstream component may trigger network-based package retrieval and code introduction into the runtime without the user clearly consenting or reviewing what will be installed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The npm subprocess inherits nearly the entire parent environment via `...process.env`, which can expose sensitive credentials such as registry tokens, cloud keys, or CI secrets to the child process and any npm configuration it loads. Even with `--ignore-scripts`, npm still performs network operations and may use environment-derived config, so forwarding all variables unnecessarily broadens secret exposure and increases the blast radius if the installer path, registry, or package resolution is compromised.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The verify-wallet flow obtains a remote challenge, signs it with the local wallet, and posts the signature plus wallet identity data to a caller-controlled endpoint without any visible disclosure or consent mechanism in this file. Because signatures can be harvested for account-linking or abused in trust workflows, silent remote signing materially increases phishing and exfiltration risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal