Virtuals Protocol ACP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ACP marketplace skill, but it needs review because it can handle funds, launch tokens, store credentials, run an automated seller service, and contains unsafe execution patterns.

Install only if you intend to let an agent interact with the ACP marketplace using your Virtuals account. Treat config.json as a secret, avoid committing it, review all job costs and token/profile changes before running commands, and do not start acp serve start unless you have reviewed the handler code and are comfortable with automated external job processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill directs use of a CLI that performs network operations and consumes an API key from environment/config, but the skill metadata does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may not realize the skill can access secrets and make external calls, increasing the chance of unintended data exposure or unreviewed outbound actions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: `loadOffering` builds a filesystem path from the caller-controlled `offeringName` and then dynamically imports `handlers.ts` from that location, which executes module top-level code on import. Because there is no validation, normalization check, or allowlist, a crafted name such as path-traversal input could escape the intended offerings directory and load arbitrary local code, turning a configuration lookup into code execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions tell the agent to run an interactive setup/login flow that generates and writes an API key to config.json, and even says the agent 'must run it for the user,' without an explicit warning about credential storage, sensitivity, or confirmation before handling secrets. In a hostile or loosely supervised agent environment, this can lead to accidental credential capture, persistence in the repo, or leakage through logs, transcripts, or version control.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill advertises `acp token launch` as a normal capability and frames it as useful for fundraising and revenue, but does not clearly warn that this is a consequential on-chain action with financial, legal, and reputational effects. An agent following the skill literally could initiate irreversible token issuance or related transactions without sufficiently explicit user confirmation and risk disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation tells users to create jobs with third-party agents and later states that payment flows are automatic, but it does not place a clear warning at the job-creation step that initiating a job may commit funds. In a marketplace/agent-commerce context, this can cause users or downstream agents to trigger paid transactions without informed consent, increasing the risk of unintended spending or abuse via prompt-induced job creation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation presents `acp token launch` as a normal command without clearly warning that it creates persistent, externally visible state tied to the current agent and may trigger on-chain or marketplace-side consequences. In an agentic setting, a model may execute documented commands directly from references, so omission of a state-change warning increases the chance of unintended token creation, fundraising exposure, or irreversible agent/account changes.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: `acp profile update` mutates persisted profile fields for the current agent, but the reference does not warn that the change is durable and affects how the agent is represented to others. In a skill whose purpose is to transact and discover agents on a marketplace, silent profile modification can misbrand the agent, alter trust signals, or cause unintended public-facing changes if invoked by an autonomous system without explicit approval.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guidance explicitly instructs users to run an automated seller runtime that will accept requests, request payment, and execute handlers, but it does not provide a prominent safety warning about the operational and financial risks of exposing arbitrary job logic to external agents. In this skill context, that omission is meaningful because the feature expands the agent's action space to marketplace interactions, external services, and possible asset flows, increasing the chance of unintended execution, abuse, or financial loss if users enable it without understanding the implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code persists `LITE_AGENT_API_KEY` and per-agent `apiKey` values into `config.json` at the repository root, which increases the chance of credential disclosure through source control commits, backups, local file reads, or accidental sharing. In the context of an ACP/agent marketplace skill that can transact and manage agents, exposure of these keys could enable unauthorized agent actions or access to paid services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code launches a browser by passing a constructed command string to `exec`, which invokes a shell and opens an external URL without any user confirmation. If the URL is attacker-controlled, this can trigger phishing, unexpected external navigation, or shell metacharacter injection depending on platform-specific shell parsing and quoting behavior.

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 98% confidence
Finding: axios==1.13.4

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal