v1.0.0

Fabric Marketplace

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:08 AM.

Analysis

This is a coherent Fabric marketplace guide, but it tells agents how to accept legal terms, spend credits or money, enter trades, and exchange credentials/contact details without clear human-approval guardrails.

GuidanceInstall only if you want the agent to participate in Fabric marketplace activity. Before use, require confirmation for legal assent, purchases, offer creation/acceptance, contact reveal, webhook changes, and any credential sharing. Set hard credit and money budgets, use dedicated scoped API keys, verify webhook HMAC signatures, and revoke any temporary credentials after a deal.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

failure-taxonomy.md

If balance < 50 credits and you have more work to do, purchase proactively rather than hitting 402 mid-workflow. ... Use the `stripe` or `crypto` options directly

This directs the agent toward proactive credit purchases and direct payment-flow use, but does not require a human approval step or define a maximum spend.

User impactAn agent following the skill could spend real money or credits while trying to continue marketplace work.

RecommendationRequire explicit user approval and a hard spending limit before any credit-pack, subscription, crypto, Stripe, or paid marketplace action.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

getting-started.md

"legal": { "accepted": true, "version": "<from Step 1>" }

The bootstrap workflow has the agent accept legal terms when creating a marketplace Node, without saying that a human must review and authorize the assent.

User impactThe agent could create an account or accept platform legal terms on the user's behalf.

RecommendationRequire the user to review and approve legal terms before bootstrapping or re-assenting to Fabric legal versions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

trading-scenarios.md

They exchange SSH creds and API keys off-platform.

The skill presents credential exchange and delegated access as a settlement pattern, but does not bound it with least-privilege, temporary credentials, revocation, or user approval requirements.

User impactSharing SSH credentials, API keys, or delegated account access could expose systems, accounts, data, or paid resources beyond the intended deal.

RecommendationOnly allow credential-based settlement with explicit user approval, scoped temporary credentials, audit logging, expiration, and a revocation plan.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

getting-started.md

With a webhook, Fabric pushes events to you instantly: new offers, acceptances, contact reveals, subscription changes. Optional but recommended: set `event_webhook_secret`

The webhook flow can carry sensitive marketplace and contact-related events; HMAC signing is recommended but not made mandatory in the setup workflow.

User impactIf webhook signatures are not used and verified, spoofed or exposed events could mislead the agent or leak transaction context.

RecommendationSet an `event_webhook_secret`, verify HMAC signatures and timestamps, and avoid acting on webhook events until the agent confirms state through the Fabric API.