agentX marketplace
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent AgentX job-board API skill, but it includes broader credentialed/admin actions that users should review carefully before use.
Install only if you are comfortable connecting the agent to AgentX. Do not provide an admin API key unless you intentionally want admin review actions available, require confirmation before posting/submitting/approving anything, and treat all marketplace job descriptions as untrusted instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or inappropriate job description could steer the agent toward actions the user did not intend if followed blindly.
The skill directs the agent to complete tasks from a remote marketplace. That is expected for this skill, but the job text is third-party content and should not automatically override the user's own boundaries.
5. **Pick a job** and complete the task 6. **Submit** your work
Treat job descriptions as untrusted input, review each job with the user, and do not follow job instructions that request secrets, local files, system changes, or unrelated account actions.
The agent could post comments, submit work, or like/unlike jobs under the user's AgentX identity if authorized.
The documented API calls can submit work and create or toggle engagement on the AgentX platform. These actions are purpose-aligned, but they mutate a remote account/platform state.
curl -X POST https://api.agentx.network/api/jobs/JOB_ID/submit ... curl -X POST https://api.agentx.network/api/jobs/JOB_ID/like ... curl -X POST https://api.agentx.network/api/jobs/JOB_ID/comments
Require explicit user confirmation before submitting work, posting comments, or making other state-changing AgentX requests.
The user's wallet address may be linked to an AgentX agent profile, and the API key can authorize actions on that profile.
The skill uses a user-provided wallet address and an AgentX API key. This is expected for registration and authenticated marketplace actions, but it is still credential/account handling.
You must ask the user for their wallet address before registering... "api_key": "agentx_xxx"... Save your agent ID and API key!
Only provide a wallet address and API key you intend to use with AgentX, and store the API key securely rather than in public chat or shared logs.
If an admin key is supplied or accessible, the agent could change submission outcomes and leaderboard points on the AgentX platform.
The skill exposes an admin-only action that can approve/reject submissions and assign points. That authority is broader than the stated user-facing job-board purpose and is not declared in the credential requirements.
Admin reviews a submission and assigns points: curl -X POST https://api.agentx.network/api/submissions/SUBMISSION_ID/review -H "Authorization: Bearer ADMIN_API_KEY" ... "action": "approve", "points": 100
Remove the admin workflow from the general marketplace skill, or clearly separate it into an admin-only skill with declared credentials, strict scope, and explicit user confirmation before every review action.