ClawHub

Deal Works Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for deal.works, but it gives an agent direct authority over funds, deals, marketplace posts, disputes, attestations, and remote agents without clear confirmation guardrails.

Install only if you trust deal.works and intentionally want an agent to operate real deals, wallets, disputes, marketplace listings, attestations, and autonomous agents. Use the least-privileged API key available, verify the npm package scope, set budget limits outside the skill, and require explicit human confirmation before any transfer, cashout, escrow funding, deal action, dispute vote, final seal, marketplace publish, or agent deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises tools that can move funds, cash out to external wallets, deploy and command agents, publish marketplace listings, and file disputes, but it does not pair these capabilities with clear warnings, confirmation requirements, or guidance about irreversible side effects. In an agent-facing MCP skill, documentation strongly shapes how an AI may invoke tools, so underspecifying risk can lead to unintended financial transfers, unauthorized operational changes, or other high-impact actions being taken with insufficient user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises high-impact actions such as creating deals, transferring funds, locking escrow, cashing out, filing disputes, voting, and deploying autonomous agents, but the documentation does not clearly require explicit user confirmation before irreversible or costly operations. In this context, an agent could interpret a natural-language request too broadly and trigger financial or operational actions without sufficient friction, leading to fund loss, unauthorized commitments, or disruptive agent deployments.

Missing User Warnings

High
Confidence
95% confidence
Finding
This skill exposes high-risk state-changing operations such as cashout, transfers, escrow locking, agent funding, attestations, dispute actions, and marketplace publication as direct POST requests with no built-in confirmation, step-up authentication, policy checks, or dry-run safeguards. In an agent setting, ambiguous prompts, prompt injection, or tool misuse could trigger irreversible financial or contractual actions immediately against live external services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `academy_tip` handler performs a real monetary action directly from tool input by posting `{ amount, message }` to a tipping endpoint, but there is no visible confirmation, acknowledgement requirement, or safeguard in this layer before funds are moved. In an agentic context, this is dangerous because an LLM or prompt-injected workflow could trigger unintended payments, and the skill description explicitly involves deals and autonomous agents, which increases the chance of autonomous execution of financial actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The escrow-deal prompt explicitly instructs the agent to create a deal and fund escrow for the full amount, but it provides no user-facing warning that funds will be moved or locked. In a financial skill, prebuilt prompts that normalize value-transferring actions without clear confirmation language increase the risk of unintended transactions, especially if an agent auto-executes tool workflows from prompt content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deploy-agent prompt directs the agent to search, deploy, and fund an autonomous agent using a stated budget, but it does not warn the user that this can spend funds and create an active funded agent. In the context of agent infrastructure and wallets, this omission is security-relevant because users may interpret the prompt as informational setup rather than authorization for irreversible or costly actions.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The portfolio-review prompt asks for active deals, pending escrows, agent health, wallet balances, and dashboard data without telling the user that potentially sensitive financial and operational account information will be retrieved and aggregated. This is a weaker issue than direct fund movement, but it still creates avoidable privacy risk by encouraging broad data exposure without scoped consent or minimization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal