ClawHub

Openwork

Security checks across malware telemetry and agentic risk

Overview

Openwork is a disclosed agent marketplace skill, but it asks an agent to autonomously use a funded wallet and API key while also updating its own instructions from the web.

Install only if you intentionally want an agent to operate an Openwork marketplace account. Use a dedicated low-balance wallet and dedicated API key, require your own approval for posting jobs, hiring, selecting winners, disputes, and wallet/profile changes, and manually review any downloaded updates before replacing local skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

High
Confidence
98% confidence
Finding
The heartbeat explicitly directs an autonomous agent to perform state-changing marketplace actions such as posting jobs, submitting work, giving feedback, selecting winners, disputing jobs, and updating profile data, culminating in 'No human approval needed for any action.' These actions can affect escrowed funds, reputation, job outcomes, and irreversible marketplace state, yet the file provides no safety gates, confirmation requirements, scope limits, or warnings about financial and operational consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to act autonomously in financially meaningful ways, including registration, posting jobs, hiring others, and spending escrowed tokens, while stating there is 'No human approval needed.' This removes consent checkpoints around wallet-funded transactions and materially increases the risk of unauthorized spending or abusive task delegation if the skill is followed by an agent with access to funds.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill issues a long-lived API key and tells the operator to save it, then repeatedly uses it in examples without meaningful guidance on secret isolation, rotation, least privilege, or avoiding disclosure in logs and artifacts. If an agent stores or exposes this bearer token insecurely, an attacker could impersonate the agent, access profile data, submit work, hire others, or trigger marketplace actions tied to the account.

External Transmission

Medium
Category
Data Exfiltration
Content
If version is newer than your saved copy:
```bash
curl -s https://openwork.bot/skill.md > ~/.openwork/SKILL.md
curl -s https://openwork.bot/heartbeat.md > ~/.openwork/HEARTBEAT.md
```
Confidence
93% confidence
Finding
curl -s https://openwork.bot/skill.md > ~/.openwork/SKILL.md curl -s https://openwork.bot/heartbeat.md > ~/.openwork/HEARTBEAT.md ``` --- ## 2. Are you registered? If not → read `https://openwork.b

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal