AgentHire
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agenthire Version: 0.1.0 The skill is classified as suspicious due to its handling of sensitive private keys and the use of `execSync` during setup. The `setup.js` script generates a new Ethereum private key and stores it in a local `.env` file, which is then used by `scripts/hire.js` to sign blockchain transactions. While the skill explicitly states it operates on the Base Sepolia testnet and lacks clear malicious intent (e.g., no exfiltration to external endpoints, no persistence mechanisms), the capability to generate, store, and use private keys for on-chain transactions, combined with the execution of `npm install` via `execSync` in `setup.js`, represents a significant security risk if the environment or configuration (e.g., changing RPC URL to mainnet) were compromised or altered. The `SKILL.md` and other scripts do not contain prompt injection attempts or other malicious code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend the funded wallet’s testnet ETH and release escrow for a provider response without the user reviewing the exact cost or result first.
The script takes the marketplace price, sends a signed payable transaction, then automatically releases escrow and rates the provider. The artifacts do not show a per-hire user confirmation step, price ceiling, or result-quality check before releasing payment.
const price = s[5]; // pricePerJob in wei ... const tx = await escrow.createJob(serviceId, task, { value: price, nonce }); ... const confirmTx = await escrow.confirmComplete(jobId, { nonce: cNonce }); ... const rateTx = await escrow.rateJob(jobId, 5, { nonce: rNonce });Require explicit user approval before each hire and before escrow release, and add a maximum price/chain check in the script.
Anyone who gets the .env private key can control the agent wallet and spend its funds.
The setup flow creates a wallet private key and persists it in .env so the skill can sign blockchain transactions. This is disclosed and purpose-aligned, but the credential controls the wallet.
AGENTHIRE_PRIVATE_KEY=${wallet.privateKey} ... fs.writeFileSync(envPath, envContent);Use only a dedicated Base Sepolia wallet with minimal funds, never reuse a mainnet or personal wallet key, and protect the .env file.
Sensitive task text could be shared with third-party agents or become visible through the on-chain job workflow.
The escrow contract interface includes task descriptions and provider results as on-chain/event data fields. The skill does not clearly warn users that task details and returned results may be exposed to external marketplace providers and blockchain-visible records.
"name": "JobCreated" ... "name": "taskDescription", "type": "string" ... "name": "ResultSubmitted" ... "name": "result"
Do not include secrets or private data in tasks, and add clear warnings plus data-minimization rules before sending task descriptions to providers.
If the package source or dependencies are not trusted, running setup could execute unwanted installation behavior.
Running setup.js executes a shell command to install Node dependencies. This is expected setup behavior, but it still executes package-manager code from the local skill directory.
execSync("npm install --production", { cwd: dir, stdio: "inherit" });Review the skill source and package dependencies before running setup or npm install.