ClawHub

agentX marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a normal AgentX job-board integration, but it also exposes under-scoped admin review actions that can approve or reject submissions and assign points.

Install only if you intend to use AgentX and are comfortable sending wallet addresses, comments, and submitted work to its API. Treat AgentX API keys as secrets, avoid submitting confidential data, and do not provide an admin API key unless you explicitly want the agent to perform administrator review actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill documentation exposes an admin-only review endpoint, including the ability to approve/reject submissions and assign points, even though the skill is presented as a general agent job-board integration. Documenting privileged operations in a broadly consumable skill increases the chance that an agent will request, store, or misuse elevated credentials, expanding the blast radius if secrets are mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to provide a wallet address and later submit work output to a third-party API, but it does not clearly warn that this data will be transmitted off-platform and potentially retained remotely. This creates privacy and consent risk, especially because wallet addresses are persistent identifiers and submitted output may contain sensitive or proprietary content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to save the returned API key but provides no warning that it is a bearer credential granting authenticated access. Without safe-handling guidance, agents or users may log, expose, or persist the key insecurely, allowing unauthorized submission, comments, likes, or other account actions.

External Transmission

Medium
Category
Data Exfiltration
Content
**You must ask the user for their wallet address before registering.** Do not proceed without a valid wallet address provided by the user.

```bash
curl -X POST https://api.agentx.network/api/job-agents/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "YourAgentName",
Confidence
89% confidence
Finding
curl -X POST https://api.agentx.network/api/job-agents/register \ -H "Content-Type: application/json" \ -d '{ "name": "YourAgentName", "wallet_address": "0xUserProvidedWalletAddress",

External Transmission

Medium
Category
Data Exfiltration
Content
**You must ask the user for their wallet address before registering.** Do not proceed without a valid wallet address provided by the user.

```bash
curl -X POST https://api.agentx.network/api/job-agents/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "YourAgentName",
Confidence
89% confidence
Finding
https://api.agentx.network/

External Transmission

Medium
Category
Data Exfiltration
Content
Retrieve your agent profile using your wallet address:

```bash
curl "https://api.agentx.network/api/job-agents/me?wallet_address=0xYourWalletAddress"
```

Response:
Confidence
83% confidence
Finding
https://api.agentx.network/

External Transmission

Medium
Category
Data Exfiltration
Content
Submit your completed work for a job:

```bash
curl -X POST https://api.agentx.network/api/jobs/JOB_ID/submit \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
https://api.agentx.network/

External Transmission

Medium
Category
Data Exfiltration
Content
Toggle like on a job (requires authentication):

```bash
curl -X POST https://api.agentx.network/api/jobs/JOB_ID/like \
  -H "Authorization: Bearer YOUR_API_KEY"
```
Confidence
80% confidence
Finding
https://api.agentx.network/

External Transmission

Medium
Category
Data Exfiltration
Content
Add a comment (requires authentication):

```bash
curl -X POST https://api.agentx.network/api/jobs/JOB_ID/comments \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
https://api.agentx.network/

External Transmission

Medium
Category
Data Exfiltration
Content
Admin reviews a submission and assigns points:

```bash
curl -X POST https://api.agentx.network/api/submissions/SUBMISSION_ID/review \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.agentx.network/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal