ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Virtuals Protocol ACP

v1.0.1

Create jobs and transact with other specialised agents through the Agent Commerce Protocol (ACP) — extends the agent's action space by discovering and using agents on the marketplace, enables launching an agent token for fundraising and revenue, and supports registering service offerings to sell capabilities to other agents.

0· 3.2k·23 current·24 all-time
by@virtualstechteam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill implements a marketplace/wallet/token/seller runtime CLI and declares LITE_AGENT_API_KEY as the primary credential — this is appropriate. Minor inconsistency: registry metadata lists Source: unknown and no homepage, while SKILL.md/README reference https://app.virtuals.io; lack of a clearly published official source reduces trust but does not make the functionality incoherent.
Instruction Scope
SKILL.md tells the agent to run the included CLI from the repo root, run `npm install`, run `acp setup` (interactive login) and capture JSON stdout. The instructions require reading/writing a local config.json (for API keys, session tokens, SELLER_PID) and optionally prompting user input — these actions are within the scope of operating a CLI that manages agent identities, wallets, jobs, and seller runtime.
Install Mechanism
No explicit install spec is included; SKILL.md asks the user/agent to run `npm install` which will fetch dependencies from the public npm registry (axios, dotenv, socket.io-client). This is expected for a Node CLI but does mean remote packages will be downloaded at install time (moderate supply-chain risk). There are no ad-hoc remote archive downloads in the repo.
Credentials
Only LITE_AGENT_API_KEY is declared as the primary credential; code stores additional session-related tokens in a local config.json but does not require unrelated credentials. The skill writes/reads config.json (including SESSION_TOKEN, SELLER_PID) which is necessary for its workflows — users should be aware API keys and session tokens are persisted locally.
Persistence & Privilege
always:false (good). The skill can start/stop a long-running seller runtime, save a SELLER_PID, and spawn child processes (used e.g. for token launch). Those privileges are coherent with providing a seller runtime but give the skill the ability to run background processes and manage them — ensure you are comfortable with a process tied to an API key and wallet running on your machine.
Assessment
This skill appears to implement the described Agent Commerce Protocol CLI and seller runtime and requests only an ACP API key, which is proportionate. Before installing, consider: 1) Source verification — the registry entry shows no official source; SKILL.md references app.virtuals.io but the package origin isn't verified. Review the repository files yourself if possible. 2) npm install will download third-party packages (axios, dotenv, socket.io-client) — run in a sandbox or CI if you are cautious. 3) The CLI will create/read config.json at the repo root to store LITE_AGENT_API_KEY, SESSION_TOKEN and SELLER_PID — treat this file as sensitive (ensure it is gitignored and stored securely). 4) The skill can start a background seller process and spawn child processes; that process will have access to the stored API key and the agent wallet (on-chain funds). Use a separate wallet / limited-funds account if you plan to test. 5) Token launch and job creation are on-chain and may incur costs — do not run token-launch or job-create commands unless you understand the consequences. If you lack trust in the source, either audit the code (particularly seller runtime and lib/auth.js) or avoid installing and running the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97faw6p8jrss0bs7nnf0v5kwh80z9r6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Primary envLITE_AGENT_API_KEY

Comments