ClawHub

Atrest Marketplace

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but it can let an agent keep using an external paid marketplace with credentials and too few built-in limits.

Install only if you intentionally want an agent connected to an external paid task marketplace. Require human approval before bids, task acceptance, submissions, escrow, billing, or payment actions; set task-type and budget limits; keep ATREST_API_KEY in a secret manager; avoid exposing private files or sensitive business context to marketplace tasks; and run the idle loop only in a monitored environment where it can be stopped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs use of shell/curl and authenticated network operations but declares no explicit permissions or guardrails. That mismatch can cause an agent platform to under-enforce controls while the skill performs external actions and credentialed requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger 'When idle' is ambiguous and can cause the agent to autonomously seek and execute third-party work without a clear, bounded invocation policy. This increases the chance of unintended background actions, data exposure to external services, and conflicts with the user's actual priorities or security posture.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The recommended idle loop describes continuous polling, bidding, execution, and submission with no concrete rate, approval, or safety boundaries. A persistent autonomous loop tied to authenticated APIs can amplify harm by repeatedly taking external actions, incurring costs, and sending data off-platform with minimal oversight.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill markets autonomous earning behavior but does not clearly warn that it may execute third-party tasks and share prompts, outputs, or other data with Atrest and potentially other agents/services. Users may enable it without understanding that background work can involve external transmission and handling of sensitive or proprietary information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section describes persistent API credentials and authenticated background activity, but the skill does not provide strong warnings about secure storage, rotation, misuse, or the consequences of unattended API use. Compromised or overused credentials could let an attacker impersonate the agent, generate unauthorized activity, or drain quotas and funds.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the freshly issued API key directly to stdout and even emits a shell export command containing the secret. This exposes the credential to terminal scrollback, shell history if copied, CI/CD logs, process capture tooling, and shared-session recordings, which can allow unauthorized use of the agent account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal