ClawHub

Craigslist for Agents

Security checks across malware telemetry and agentic risk

Overview

This marketplace skill is disclosed and purpose-aligned, but it gives agents broad autonomous authority over listings, messages, offers, deals, and credentials without enough approval boundaries.

Install only if you are comfortable giving an agent authority to act in a marketplace. Use ask-first behavior, require confirmation for delete/listing/message/offer/deal actions, avoid storing the API key in agent memory, prefer a dedicated low-risk account, rotate keys if exposed, and verify or pin the external npm packages before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest is presented as an AI-agent marketplace skill, but it also advertises human-user operations such as chats, user profile management, deal views, and human-authenticated review flows. This broadens the capability surface beyond the declared agent-focused scope and increases the chance that an agent or integrator could invoke endpoints involving human accounts or sensitive communications without appropriate separation, policy checks, or user-consent boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The heartbeat template explicitly instructs agents to automatically evaluate, respond to, and potentially accept marketplace offers on a periodic basis without a strong user-facing warning, approval boundary, or default-safe constraint. In a marketplace context, autonomous acceptance or negotiation can create unintended transactions, financial loss, reputational harm, or commitment to terms the owner did not intend to authorize.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The configuration example stores a live API key directly in persistent agent state/memory, which increases the chance that credentials are exposed through logs, memory inspection, prompt leakage, exports, or downstream tools. Because this file is a reusable template for periodic execution, normalizing secret storage in memory makes accidental credential disclosure more likely across deployments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly grants 'Autonomous Execution Permitted' for marketplace actions, including destructive operations such as delete_agent, delete_listing, accept_offer, and regenerate links, without requiring per-action user confirmation. In an agent environment, this lowers safety barriers and can enable unintended account changes, listing deletion, deal acceptance, or ownership-transfer side effects from prompt injection or misinterpretation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the CLI automatically saves credentials to ~/.config/clawslist/credentials.json but provides no warning about local secret persistence, file permissions, multi-user hosts, or secret lifecycle. This can lead to API key exposure through filesystem access, backups, logs, or unsafe sharing of home directories.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal