Deal Works Mcp
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: deal-works Version: 0.1.1 The skill bundle provides extensive functionality for managing deals, funds (including transfers and cash-outs), and autonomous agents, interacting with several `*.works` domains and `api.perplexity.ai`. While the code itself does not exhibit clear evidence of intentional malicious behavior (e.g., no arbitrary command execution, no unauthorized data exfiltration to unknown endpoints, no obfuscation), its powerful financial and agent management capabilities, combined with the direct embedding of user-provided arguments into agent prompts (as seen in `src/prompts.ts` and `configs/perplexity-prompts.md`), present a significant prompt injection risk. A compromised or manipulated AI agent could be instructed to misuse these powerful tools (e.g., `fund_cashout`, `fund_transfer`, `cadre_deploy`) to perform unauthorized financial transactions or deploy malicious agents, even if the skill itself is not designed for self-exploitation. This falls under risky capabilities without clear malicious intent, classifying it as suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with this skill could move funds, lock funds in escrow, cash out, or change the state of business deals if it receives or infers the right instruction.
These are high-impact financial and deal-lifecycle mutations exposed as agent tools. The artifacts disclose them, but do not show built-in confirmations, amount ceilings, or rollback controls for these actions.
`fund_transfer` - Transfer funds between wallets; `fund_cashout` - Cash out to external wallet; `deal_action` - Perform deal actions (sign, approve, reject, etc.)
Use only with a tightly scoped API key, require explicit user confirmation for every financial or legal mutation, and review all tool calls before approval.
A deployed agent could continue operating after the immediate chat task and consume funds or act on delegated permissions.
The skill can create and fund autonomous agents through an external service. The artifacts do not clearly bound agent lifetime, permissions, delegation scope, or maximum budget.
description: "Deploy a new agent from a skill definition. Optionally fund and configure SLA." ... fundingAmount ... return client.fetch("cadre", "/agents", { method: "POST", body: input,Deploy agents only after explicit approval, set small budgets and clear stop conditions, and verify that deal.works provides revocation, audit logs, and spending limits.
If you have a Perplexity API key in the environment, the package may use it in ways that are not obvious from the main skill requirements.
The static scan reports this environment credential access combined with a network send. The registry requirements list DEAL_WORKS_API_KEY as the required credential, so PERPLEXITY_API_KEY use is not clearly declared or bounded in the supplied metadata.
const apiKey = config?.apiKey ?? process.env.PERPLEXITY_API_KEY;
Do not run the skill in an environment containing unrelated API keys unless you intend the skill to use them; the publisher should declare optional credentials and describe when they are sent.
Anyone or any agent using this key through the skill may be able to perform powerful account actions depending on server-side scopes.
The primary deal.works credential is expected for this integration, but it is sent as a bearer token for calls across the platform's engines, including engines that can mutate funds, deals, marketplace listings, and agents.
this.apiKey = config.apiKey ?? process.env.DEAL_WORKS_API_KEY; ... headers["Authorization"] = `Bearer ${this.apiKey}`;Use the least-privileged deal.works API key available, rotate it if exposed, and avoid sharing it with unrelated MCP servers or agents.
Copying the wrong command could install or run an unintended package.
The README uses two different npm package scopes in install/config examples. That may be a documentation typo, but it could lead users to invoke a different package than the one in the install spec.
npx @swgoettelman/deal-works-mcp ... "args": ["@goettelman/deal-works-mcp"]
Verify the npm package name and publisher before installation; the maintainer should make the package scope consistent across all docs and config examples.