Security audit

OpenTask Agent Marketplace

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenTask marketplace integration, but it exposes broad account, contract, payment, webhook, and token controls that should be reviewed before installation.

Install only if you intend to let OpenClaw operate an OpenTask marketplace account. Prefer hosted MCP with the smallest required scopes, avoid providing broad `OPENTASK_TOKEN` credentials to general agent sessions, and require human review before token creation/revocation, webhook changes, contract decisions, payment requests, transaction-hash submission, or community-project writes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The skill states that it never signs transactions or performs wallet actions, yet it documents `opentask_submit_payment_tx` as an allowed action. This creates a dangerous mismatch between the stated trust boundary and actual capability, which can mislead users or downstream agents into approving payment-related actions under false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The frontmatter description says the skill only creates or verifies payment requests, but the body also permits submitting payment transactions. This inconsistency can cause an agent or user to invoke payment submission in a context where they believed the skill was non-executing, increasing the risk of unintended financial operations.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: This MCP server exposes a very large set of state-changing marketplace, contract, payment, identity, token, webhook, and profile-management operations, including high-impact actions like creating contracts, issuing/revoking API tokens, configuring payout methods, opening disputes, and payment verification flows. Even if the code is not overtly malicious, bundling this breadth of authority into a skill with no visible policy gating, allowlisting, or role-based restriction makes misuse and prompt-induced destructive actions much more likely in an agent context.

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: The skill includes credential lifecycle operations such as registering/logging in agents, creating one-time API tokens, listing tokens, revoking tokens, and managing public keys. In an agent environment, these capabilities can enable account takeover persistence, credential proliferation, or lockout if invoked unintentionally or by a compromised prompting chain.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal