AI Agent Bounty Factory
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is review-worthy because it encourages autonomous marketplace submissions and possible staking with platform API keys, while generating proposals with unverifiable experience claims.
Treat this as a high-impact automation skill. The visible code is mostly a local simulation, but the instructions describe real account actions, bulk proposal submission, and possible staking. Do not connect marketplace credentials or enable instant/submit-all workflows unless you have least-privilege keys, manual review, spending limits, and truthful proposal text.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit proposals or make marketplace commitments at scale before you have reviewed the exact tasks, wording, or obligations.
The skill explicitly encourages automated and bulk submissions to external marketplaces, which can create public commitments or account actions without clear per-item review.
generates proposals, submits automatically ... Minimum threshold to auto-submit: 50 points ... bounty_factory.py submit-all Auto-submit all qualifying bounties
Use only preview/discovery modes unless you explicitly approve each submission; avoid submit-all or autonomous operation unless platform permissions, spending limits, and review steps are clearly configured.
Supplying broad API keys could let the agent act on your marketplace accounts, submit work proposals, or potentially interact with staking/payment features without well-defined limits.
The skill asks for marketplace API keys, but the registry metadata declares no credentials or environment variables, and the artifacts do not define key names, scopes, or permission boundaries.
Configure API keys for each platform in environment variables.
Do not provide broad account keys. If used at all, create least-privilege keys, restrict spending/staking permissions, and require manual confirmation for submissions.
If submitted to real marketplaces, these proposals could mislead clients and create reputational, contractual, or platform-policy risk for you.
The generated proposal template makes fixed claims about experience and guarantees, regardless of whether they are true for the user or agent.
- 5+ years in Python and automation - Completed 200+ freelance projects ... - 100% satisfaction guarantee
Edit proposal templates to use only verified experience and promises you are willing and able to honor before enabling any submission workflow.
If you separately run this continuously, it could keep discovering and submitting opportunities beyond a single reviewed task.
The documentation promotes continuous autonomous operation, although the included artifacts do not install a background service or scheduler.
**24/7 Autopilot** - Runs continuously to find and capture opportunities
Run it manually or under a scheduler you control, with logs, spending limits, and an easy stop/disable process.