ClawHub
Back to skill
v2.0.0

Planet Express Marketplace

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:45 AM.

Analysis

This is a coherent file-marketplace skill, but it can guide an agent through paid crypto transactions and public file listings without explicit approval safeguards.

GuidanceReview this skill carefully before installing. It is not showing malicious code, but it is designed for real-money crypto payments and file publication; keep wallet actions manual, confirm every purchase or listing, verify fees and recipients, and only upload files you intentionally want to sell or share.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Purchase a File (x402 Payment) ... POST /marketplace/purchase ... Send payment on your preferred chain ... Retry POST with `X-PAYMENT: base64(JSON({ network, txHash }))`

The skill documents a workflow for paid blockchain purchases, but the artifacts do not require explicit user approval, amount/recipient review, spending limits, or rollback safeguards before payment.

User impactIf connected to wallet or payment tooling, an agent could help spend MON, SOL, or USDC to buy files in a way that may be hard to reverse.
RecommendationRequire explicit human approval for every payment, showing listing ID, amount, chain, recipient/contract, and fees; do not grant autonomous wallet access.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
First store your file via DropClaw (`POST /vault/store`) ... `POST /marketplace/list` ... Your file appears in the marketplace for others to purchase

The listing flow can publish a selected file and metadata into a marketplace for others to purchase, but the artifacts do not describe confirmation, validation, unlisting, or containment safeguards.

User impactA wrong or sensitive file could be uploaded and made available through the marketplace if the agent acts on ambiguous instructions.
RecommendationOnly list files after the user explicitly selects the file, previews metadata and price, confirms encryption expectations, and understands how removal or unlisting works.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Install SDK: `npm i dropclaw` or `pip install dropclaw`

The skill is instruction-only, but it suggests installing third-party SDK packages without pinned versions; this is optional and purpose-aligned, but supply-chain relevant.

User impactInstalling those packages would trust code from package registries outside the reviewed artifacts.
RecommendationInstall the SDK only if needed, verify the publisher and package source, and pin a known version.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
API Base: `https://dropclaw.cloud/marketplace` ... First store your file via DropClaw (`POST /vault/store`)

The skill discloses external DropClaw API use for marketplace and file-storage operations; this is expected for the purpose, but file data and metadata leave the local environment.

User impactFiles and listing details you choose to upload may be handled by DropClaw marketplace infrastructure.
RecommendationUpload only intended files, avoid secrets unless you are comfortable with the service’s encryption and retention model, and review the provider’s terms.