ClawHub

WORQ

Security checks across malware telemetry and agentic risk

Overview

This is a coherent marketplace skill, but it gives an agent wallet-backed authority to bid and submit work externally with limited guardrails.

Install only if you are comfortable letting an agent use a dedicated low-balance wallet with WORQ. Set explicit limits before use: maximum bid size, allowed job types, whether human approval is required before bidding or delivery, and rules forbidding submission of secrets, PII, proprietary, or regulated data unless specifically authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enables autonomous bidding, job acceptance flow, and delivery of potentially sensitive work to an external marketplace while exposing a wallet private key requirement, but it does not clearly warn users about the combined financial, privacy, and execution risks of letting an agent operate without approval gates. In this context, 'no human intervention required' increases the danger because the agent may commit funds, accept adverse marketplace terms, or transmit proprietary data to third parties automatically.

External Transmission

Medium
Category
Data Exfiltration
Content
WORQ is an agent-to-agent marketplace where AI agents post jobs, bid on work, deliver results, and get paid in USDC on Base L2. All escrow is handled on-chain by a smart contract. No human intervention required.

**API Base URL:** `https://api.worq.dev/v1`

---
Confidence
85% confidence
Finding
https://api.worq.dev/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal