Back to skill

Security audit

Virtuals Protocol ACP

Security checks across malware telemetry and agentic risk

Overview

This looks like a real ACP marketplace skill, but it needs review because it can use credentials, create paid marketplace actions, launch tokens, and run automated background job handlers with weak safeguards.

Install only if you intend to let an agent use your Virtuals ACP account for marketplace activity. Treat config.json as a secret, do not commit or share it, review costs and recipients before any job or funds transfer, avoid token/profile changes unless deliberate, and start the seller runtime only after reviewing the local handlers and knowing how to stop it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to use environment-backed credentials and make networked ACP/API calls, but it declares no corresponding permissions or trust boundaries. This creates a mismatch between what the skill appears allowed to do and what it actually instructs the agent to do, increasing the risk of silent external actions and credential use without adequate review.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill loads an API key from config.json and copies it into process.env, which confirms it persists and reuses a secret locally rather than limiting use to ephemeral runtime input. In an agent-commerce skill that can transact with external agents, storing marketplace/API credentials on disk increases exposure if the host, repo root, or logs/backups are accessed by another local process or user.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The function falls back to shelling out to ps/grep to discover a seller process, which expands the skill's visibility into host OS process state beyond its core marketplace task. While the command is static and not directly injectable here, host process enumeration can reveal operational context and is unnecessary attack surface for a commerce-oriented integration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This function builds a shell command from an untrusted URL string and executes it via child_process.exec, which invokes a system shell. Quoting with double quotes is not sufficient across platforms because shell metacharacters and platform-specific parsing can still allow command injection or unintended command execution. In this skill's context, opening arbitrary browser URLs is also an unusually powerful local side effect relative to ACP job/marketplace operations, increasing the risk of phishing, drive-by navigation, or abuse of the host environment.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README states that API keys and session tokens are stored in a local `config.json`, but it does not explicitly warn users that these values are sensitive secrets that must be protected from accidental disclosure. In the context of an agent-commerce tool with wallet, token, and marketplace capabilities, exposed credentials could allow unauthorized account access, job creation, profile changes, or other actions tied to the agent identity.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description is broad and action-oriented—creating jobs, transacting with agents, launching tokens, and selling services—without clear trigger conditions or approval gates. In agentic contexts, vague invocation scope can cause the skill to be selected in situations where the user did not intend external transactions, credential use, or marketplace interactions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to run setup that logs in and writes an API key to `config.json` in the repository, but it does not require a prior user warning or consent about credential generation and local secret storage. Storing secrets in a repo workspace increases the risk of accidental disclosure, reuse by other tools, or later commit/exfiltration if the workspace is shared or version-controlled.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill exposes `acp token launch` as a routine capability without a prominent user-facing warning that token creation can have financial, legal, reputational, and effectively irreversible consequences. Because token launch can trigger on-chain or marketplace-visible actions tied to fundraising and revenue, a user could be induced into a high-impact transaction without informed approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The seller runtime is described as automatically accepting requests, requesting payment, and delivering output by executing handlers, but the skill omits a warning that this exposes the agent to ongoing external job processing. In context, that means enabling autonomous network-facing behavior with potential execution, data exposure, cost incurrence, and unintended commitments after a single start command.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The reference instructs users to create jobs with third-party agents and only later notes that payments are automatic, without a clear upfront warning at the job-creation step that initiating a job can commit funds. In this skill's marketplace/agent-commerce context, that omission is dangerous because an agent may autonomously select providers and trigger paid actions or transfers without explicit user awareness or confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to launch an agent token tied to the current agent identity via LITE_AGENT_API_KEY, but it does not clearly warn that this is a live, state-changing action with potentially irreversible or hard-to-reverse consequences. In an agent skill context, an automated system may execute the command directly, causing unintended token creation, reputational harm, or unwanted financial/commercial exposure for the agent.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The profile update reference describes modifying live profile fields for the current agent without prominently stating that the change applies immediately to the account associated with the active API key. In an autonomous or tool-using agent environment, this increases the chance of unintended changes to public-facing identity data, including name, description, or profile image.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly instructs implementers to request additional token transfers from buyers and then execute jobs automatically once payment is received, but it does not require prominent warnings, explicit consent checkpoints, transfer caps, recipient verification, or safeguards for irreversible on-chain asset movement. In this ACP marketplace context, that omission is dangerous because skill users may create agents that solicit and receive funds programmatically, increasing the risk of accidental loss, misconfiguration, abusive offerings, or socially engineered fund transfers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow persists the agent API key in local config.json and even tells the user it was saved there, but there is no explicit warning about the sensitivity of that credential, no indication of file-permission hardening, and no safer storage mechanism shown. In this skill's context, that key likely authorizes actions on behalf of the agent in the ACP marketplace, so any local compromise, backup leak, or accidental file sharing could expose a reusable credential and enable unauthorized transactions or agent impersonation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code opens URLs in the user's default browser without any warning, consent, or clear indication to the user, creating a silent external action. If an attacker can influence the URL, this can be used for phishing, forced navigation to malicious content, or triggering handlers for non-HTTP URI schemes on the local system. Because the skill is for ACP commerce and agent interactions, silent browser launching is not clearly necessary and makes the behavior more suspicious and potentially harmful.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"seller:check": "tsx bin/acp.ts serve status"
  },
  "dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
Confidence
94% confidence
Finding
"axios": "^1.13.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
  "devDependencies": {
Confidence
94% confidence
Finding
"dotenv": "^16.4.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "axios": "^1.13.4",
    "dotenv": "^16.4.5",
    "socket.io-client": "^4.8.1"
  },
  "devDependencies": {
    "tsx": "^4.19.2",
Confidence
94% confidence
Finding
"socket.io-client": "^4.8.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"socket.io-client": "^4.8.1"
  },
  "devDependencies": {
    "tsx": "^4.19.2",
    "typescript": "^5.7.2"
  }
}
Confidence
87% confidence
Finding
"tsx": "^4.19.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "tsx": "^4.19.2",
    "typescript": "^5.7.2"
  }
}
Confidence
84% confidence
Finding
"typescript": "^5.7.2"

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.13.4

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/commands/serve.ts:86

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/commands/setup.ts:52

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/lib/config.ts:142

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/lib/open.ts:20