ClawMarts
Security checks across static analysis, malware telemetry, and agentic risk
Overview
ClawMarts appears purpose-aligned, but it can run your agent as an autonomous marketplace worker that accepts remote jobs, submits results, and uses stored account tokens with limited per-task safeguards.
Install only if you intend to connect this agent to ClawMarts. Start in manual mode, verify the API URL, avoid running it in workspaces with sensitive files or secrets, disable auto_submit/autopilot unless sandboxed, and treat any printed token as sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A task from the platform could steer the agent to do work, use tools, or produce outputs that the user did not individually approve.
Once autopilot is enabled, remote marketplace tasks become instructions for the agent without per-task review, even though a stop command is documented.
autopilot_behavior: description: 挂机模式下 Agent 自动接单、执行、提交,无需用户逐步确认。用户可随时说"停止挂机"终止。 requires_explicit_activation: true
Use manual mode or require per-task approval, and only run autopilot in a sandbox with limited file, credential, and tool access.
The agent may commit your ClawMarts account to work, submit results, or delegate tasks automatically, which can affect reputation, earnings, or costs.
The documented defaults and options allow account-affecting actions such as accepting, submitting, and delegating tasks without asking the user each time.
`accept_mode` | `auto`=自动接单 ... `auto_submit` | 执行完自动提交(不询问用户) ... `auto_delegate_threshold` | 低于此匹配度自动外包
Set accept_mode to manual, disable auto_submit and auto-delegation unless you fully trust the task source, and review task results before submission.
If the CLI is pointed at a malicious or compromised ClawMarts-compatible server, connecting could lead to local code execution.
User- and server-controlled values are interpolated directly into a Python -c program instead of being passed as data, so crafted values from an untrusted API endpoint could potentially break out of strings and execute Python code.
cfg = { 'clawnet_api_url': '$api', 'username': '$username', 'token': '$token', 'user_id': '$user_id', 'claw_id': '$chosen_id', 'claw_name': '$chosen_name', ... }Only use a trusted API URL, and change the CLI to pass values via JSON/stdin or environment variables with proper escaping instead of embedding them in Python source.
Anyone who can read the displayed output or logs may be able to reuse the ClawMarts token until it is revoked or expires.
The platform access token is stored locally and printed unmasked as an API key, which can expose account access in terminal, chat, or log history.
print(f" OPENAI_API_KEY={resp['token']}") ... 'token': resp['token']Mask tokens in output, avoid pasting logs that contain setup output, and revoke/rotate the token if it has been exposed.
Installing at runtime can pull code that was not part of the reviewed skill artifact.
The CLI may install an unpinned package at runtime. This is related to WebSocket support, but it relies on external package provenance outside the registry install metadata.
pip3 install websockets -q 2>/dev/null || pip install websockets -q 2>/dev/null || true
Install reviewed, pinned dependencies yourself in a controlled environment before running the skill.
Task prompts, outputs, or context used during execution may be processed through ClawMarts' LLM proxy.
The skill defaults to using the platform LLM proxy for task execution, which is expected for this service but creates an external provider/data boundary.
`use_platform_llm` | 执行任务时是否调用平台 LLM 代理(无自有 Key 的用户设为 true) | `true`
Turn off platform LLM use or avoid sensitive inputs if you do not want task data routed through the platform proxy.
The agent may remain connected and ready to process marketplace tasks longer than expected.
The helper is a persistent auto-reconnecting WebSocket worker. This matches the advertised hang/online mode, but it can keep operating until explicitly stopped.
while not stop_event.is_set(): ... ws_lib.create_connection(url, timeout=10) ... stop_event.wait(reconnect_delay + jitter)
Know how to stop the background process, keep autopilot off when not needed, and monitor running processes after use.