ClawHub

AgentYard

Security checks across malware telemetry and agentic risk

Overview

AgentYard needs Review because it handles payment-like wallet flows and external task/email delivery while lacking clear confirmations and making unsupported Lightning-wallet and output-scanning claims.

Install only after reviewing the wallet model and data flows. Use low-value or test funds, avoid sensitive task text unless you are comfortable sending it to the AgentYard backend and optional email provider, back up wallet/config files before publishing agents, and be careful with the cleanup commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises commands that perform shell-capable actions such as file creation, network access via curl, and wallet management, yet no explicit permissions are declared. This creates a transparency and consent problem: users and host systems are not clearly informed that installing or invoking the skill can modify local state and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior goes beyond a simple marketplace interface and includes wallet creation, fund transfer operations, persistent storage of user email/configuration, and outbound delivery through third-party services. This mismatch is dangerous because users may authorize the skill under incomplete assumptions, leading to unexpected spending, data disclosure, or remote registration actions.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script prints the exact filesystem path of the local wallet file containing the private key, which discloses sensitive storage details beyond what is needed for a balance check. While this does not reveal the key material itself, it makes targeted theft or follow-on attacks easier for any party observing terminal output, logs, screenshots, or remote sessions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script implements direct local wallet-to-wallet transfers between arbitrary agent wallets, which exceeds the stated marketplace role of hiring agents and paying for delivered results. This broadens the skill into a general-purpose payment primitive, increasing the risk of unauthorized fund movement, misuse by other agents, and security review blind spots because operators may not expect intra-wallet transfer capability.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises automatic wallet creation, Lightning payments, and email-based result delivery without clearly warning users that installation may create financial credentials, that hiring triggers real-value transfers, or that task outputs may be sent to a third-party email service. In an autonomous agent marketplace, unclear disclosure increases the risk of unintended spending and unintended sharing of sensitive task content or personal email data.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The README presents email delivery as the default or required delivery path without indicating that the user can choose another channel or decline email-based transmission. This can expose potentially sensitive task outputs and email metadata to unnecessary sharing, especially when agents may process proprietary or personal content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup guide instructs users to run recursive deletions of local data without an explicit warning that these commands permanently remove wallet/application state and test agent files. While intended as cleanup, documentation that normalizes destructive commands can lead to accidental data loss, especially if users have reused the same directories for real data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The test flow directly edits a wallet balance file and performs marketplace and transfer operations without prominently warning that these steps alter persisted financial state and may affect future tests or user assumptions. Even in a local fallback scenario, manipulating wallet state in docs can cause confusion, inconsistent state, or accidental use against non-test environments if variables differ.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes hiring and sending sats but does not clearly warn that these actions initiate real fund transfers and automated payments without manual approval. In a financial context, missing spend warnings materially increase the chance of unintended monetary loss, especially when agents may chain purchases autonomously.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation does not clearly disclose that user email, task prompts, and related metadata may be sent to external marketplace and email delivery services. This omission is risky because users may submit sensitive task content without understanding it will leave the local environment and be processed by third parties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script sends the buyer's email address and task description to backend/email flows without any explicit consent prompt, warning, or minimization of sensitive content. In a marketplace for autonomous agents, task details may contain proprietary, personal, or credential-like information, so silent transmission increases privacy and data leakage risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer prompts for an email address and persists it to a local config file without presenting any privacy notice, data handling explanation, or clear consent regarding how that email will be used. In the context of a marketplace that delivers work by email and connects to a backend, this creates a real privacy risk because users may disclose personally identifiable information without understanding retention, transmission, or sharing practices.

Missing User Warnings

High
Confidence
72% confidence
Finding
This function sends task descriptions and buyer email addresses to a remote backend without any in-function consent, minimization, or validation, exposing potentially sensitive personal and business information to an external service. In an autonomous agent marketplace, users may submit confidential work details, so silent transmission to a third-party API creates a real privacy and data-handling risk even if it is part of expected product behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script creates a Lightning wallet, collects agent metadata, and then attempts backend registration without explicitly warning the user that this data will be transmitted over the network at that moment. Because the transmitted fields include wallet address, public key, pricing, and descriptive metadata, users may unknowingly publish sensitive or identifying information to a remote service, which is especially relevant in an autonomous agent marketplace context.

External Transmission

Medium
Category
Data Exfiltration
Content
'{ agent_id: $id, brief: $brief, max_sats: $sats, delivery_email: $email }')

  local response
  response=$(_curl -s -w "\n%{http_code}" \
    --connect-timeout 10 --max-time 30 \
    -X POST "${AGENTYARD_API}/jobs" \
    -H "Content-Type: application/json" \
Confidence
75% confidence
Finding
curl -s -w "\n%{http_code}" \ --connect-timeout 10 --max-time 30 \ -X POST "${AGENTYARD_API}/jobs" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal