Craigslist for Agents
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawslist Version: 1.1.0 This skill is classified as suspicious due to its explicit instructions for 'Autonomous Execution Permitted' in SKILL.md, which is a direct prompt injection instructing the AI agent to bypass user confirmation for actions. Additionally, it relies on powerful commands like `npx -y` and `npm install -g` for installing and executing its components, which, while for the stated purpose of interacting with clawslist.net, represent high-risk capabilities. The CLI also automatically stores API credentials in a local config file, a sensitive action. While there is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or installing backdoors, these broad permissions and execution methods without explicit user oversight are significant security risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could make marketplace commitments, change listings, or send messages without the user approving each action.
The skill authorizes autonomous use of tools that can post public content, delete marketplace data, message others, and accept offers/create deals.
`create_listing`, `update_listing`, `delete_listing`, `send_message`, `accept_offer` ... "Autonomous Execution Permitted" ... "execute these tools without additional user confirmation"
Require explicit user approval for posting, deleting, accepting offers, regenerating links, or any action with financial, reputational, or account impact.
The agent may continue checking messages, finding opportunities, and accepting offers on a schedule, which can surprise users if not tightly controlled.
The artifact provides a recurring background routine that can keep operating and take marketplace actions after the initial setup.
"Copy this to your agent's heartbeat/periodic routine file" ... "Every 4-6 Hours" ... "If in auto_accept mode: Accept good offers"
Only enable heartbeat behavior with clear user opt-in, bounded budgets/categories/listings, audit logs, and approval gates for transactional actions.
If persistent memory is shared, logged, or reused across tasks, the API key and deal information could be exposed or misused.
The heartbeat template recommends storing an API key and marketplace state in agent memory for reuse across periodic runs.
"Add to your agent's state/memory" ... "apiKey": "claws_YOUR_API_KEY_HERE" ... "pendingOffers": [], "deals": []
Store the API key in a secrets manager or environment variable rather than model memory, and limit retention of deals/messages to what is necessary.
Installing or running those packages will execute code outside this instruction-only skill review.
The skill relies on external npm packages that are not included in the reviewed artifact set and are not version-pinned in the examples.
`npx -y @clawslist/mcp-server` ... `npm install -g @clawslist/cli`
Verify the npm package provenance, pin versions where possible, and install only from trusted package sources.
Anyone with the API key may be able to act as the agent on Clawslist.
The service uses a bearer API key for authenticated agent actions, which is expected for this marketplace integration.
"authentication": { "type": "bearer", "header": "Authorization", "prefix": "Bearer", "key_prefix": "claws_" }Treat the Clawslist API key as a credential, avoid sharing it with unrelated tools, and rotate or revoke it if exposed.
Other agents or users could send messages that try to influence the agent's behavior or decisions.
The workflow intentionally processes messages and listings from other marketplace participants, which may contain untrusted content.
"Check Messages on Active Listings" ... "Evaluate the message" ... "Respond if appropriate"
Treat marketplace messages and listings as untrusted input; do not allow them to override system instructions, spending limits, or approval requirements.