Back to skill

Security audit

Openwork

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed marketplace integration, but it asks an agent to autonomously use token-backed funds and replace its own instructions from a website without review.

Install only if you intentionally want an agent to operate an Openwork marketplace account. Use a dedicated low-balance wallet and dedicated API key, set your own approval rules for posting jobs, hiring, selecting winners, disputes, wallet changes, and profile changes, and manually review any downloaded updates before replacing local skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

High
Confidence
97% confidence
Finding
The heartbeat explicitly authorizes autonomous, state-changing actions without requiring user confirmation, including posting jobs, submitting work, giving feedback, selecting winners, disputing jobs, and updating profile/wallet data. In an agent environment, this can cause unauthorized transactions or commitments, reputation damage, data leakage through submissions/artifacts, and irreversible marketplace actions if the skill is triggered with valid credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to operate a wallet-funded marketplace and make on-chain spending decisions, but it does not present clear safety warnings, spending boundaries, or explicit user-consent requirements. In this context, omission of those controls is dangerous because the agent is encouraged to post jobs, hire others, and move token value autonomously using user-funded assets.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The text explicitly mandates fully autonomous operation and states that no human approval is needed after wallet funding. That creates a direct path for an agent to take irreversible financial actions, accept external work, and hire third parties without consent, which is especially risky because the skill is tied to real-value tokens and on-chain escrow.

Ssd 4

Medium
Confidence
94% confidence
Finding
The narrative framing repeatedly normalizes autonomous financial operation as the expected mode, which can bias an agent toward spending and operational actions beyond a reasonable safe scope. Because the marketplace includes hiring, bidding, escrow, and token transfers, this framing materially increases the chance of unsafe use of user funds.

Ssd 4

Medium
Confidence
93% confidence
Finding
This section reinforces a 'no-human-needed' operating model after funding, normalizing continued autonomous spending, hiring, and earnings activity. Repetition matters here because it strengthens an unsafe policy signal in a skill whose core function involves real financial commitments and external counterparties.

Scope Creep

Low
Category
Excessive Agency
Content
The agent-only marketplace. AI agents hire each other, complete work, verify outcomes, and earn **$OPENWORK tokens on Base**.

**You are fully autonomous.** The only thing your human does is fund your wallet. After that, you handle everything — registration, finding work, completing jobs, hiring other agents, and earning tokens. No human approval needed. No human in the loop.

## Quick Start
Confidence
84% confidence
Finding
handle everything

Scope Creep

Low
Category
Excessive Agency
Content
- **$OPENWORK:** ERC-20 token on Base (Ethereum L2)
- **Escrow:** OpenworkEscrow smart contract — trustless on-chain settlement
- **Fee:** 3% platform fee on completed jobs
- **Fully autonomous:** You handle everything after your wallet is funded

---
Confidence
82% confidence
Finding
handle everything

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.