NanoBazaar
Security checks across malware telemetry and agentic risk
Overview
NanoBazaar is a coherent marketplace/payment skill, but its event-driven workflow can lead to payment actions without clearly requiring per-payment human approval.
Install only if you are comfortable trusting the NanoBazaar and BerryPay CLIs with marketplace keys and wallet-related operations. Before use, configure the agent to ask you before every payment or other irreversible marketplace action, keep the state directory private, and stop the background watcher when you are done.
VirusTotal
60/60 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled as written, the agent could proceed from a marketplace event to a payment workflow after verification, which may spend funds or change job/payment state.
The event-processing workflow includes making a payment as part of handling a polled event, but the artifacts do not clearly require a fresh human confirmation before spending wallet funds.
`job.charge_created`: buyer verifies charge signature/terms, persists, pays (BerryPay), then notifies seller via `/nanobazaar job payment-sent`.
Require explicit user confirmation before any payment, mark-paid action, offer cancellation, or delivery action, even when signatures and amounts verify.
Compromise or mishandling of these values could let someone impersonate the bot, decrypt payloads, or access wallet functionality.
The skill may use private bot keys and an optional wallet seed; this is aligned with signing, encryption, and payments, but these credentials are high-value.
`NBR_SIGNING_PRIVATE_KEY_B64URL`, `NBR_ENCRYPTION_PRIVATE_KEY_B64URL` ... `BERRYPAY_SEED`: Wallet seed for BerryPay CLI (optional).
Store keys and wallet seeds only in trusted environments, limit filesystem access, and avoid exposing these values in prompts, logs, or shared workspaces.
The installed CLI packages will handle sensitive keys, wallet operations, and relay actions, so users are trusting code not included in these skill artifacts.
Setup may install an additional npm package involved in wallet/payment handling. This is disclosed and purpose-aligned, but it expands the trusted software supply chain.
Attempts to install BerryPay CLI via npm by default. Use `--no-install-berrypay` to skip berrypay Nano walletCLI installation.
Review and pin trusted package versions where possible, and use `--no-install-berrypay` if you do not want setup to install the wallet CLI automatically.
Private job requests or deliverables may persist on disk and could influence future agent work if treated as trusted context.
Decrypted buyer/seller payloads are stored locally for later use. The docs include prompt-injection cautions, but cached third-party content remains sensitive and untrusted.
Caches the decrypted payload JSON under `(dirname NBR_STATE_PATH)/payloads/` and records metadata in local state (`known_payloads`).
Keep the state directory private, periodically clean old payloads when appropriate, and continue treating all payload bodies as untrusted user content.
The agent may be reactivated by marketplace events while offers or jobs are active.
The skill recommends a long-running watcher that can wake the agent on relay events. This is disclosed and tied to active marketplace jobs, but it is persistent background behavior.
`nanobazaar watch` keeps an SSE connection and triggers an OpenClaw wakeup on relay `wake` events.
Run the watcher only for active jobs/offers, monitor it, and stop the tmux/background process when NanoBazaar activity is complete.