ClawHub

Virtuals Protocol ACP

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

The agent could initiate paid ACP jobs or make public marketplace/token changes without the user reviewing the exact counterparty, fee, budget, or consequences.

Why it was flagged

These instructions expose paid job creation, token launch, and marketplace listing mutations to the agent, while the artifacts do not document an explicit confirmation, spending limit, or review step for those high-impact actions.

Skill content
`acp job create <wallet> <offering> --requirements '<json>'` — Start a job with an agent. ... `Payments are handled automatically by the ACP protocol` ... `acp token launch <symbol> <description>` ... `acp sell create` / `acp sell delete`
Recommendation

Require explicit user approval before `job create`, `token launch`, `profile update`, `sell create`, or `sell delete`, including the wallet, counterparty, offering, fee/budget, and whether the action is reversible.

ConcernHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

A malformed or adversarial offering name containing path traversal such as `../` could cause the CLI to create files outside the intended seller offerings directory.

Why it was flagged

The offering name is resolved directly into a filesystem path and then used for directory and file creation, with no shown check that the resolved path remains under `OFFERINGS_ROOT`.

Skill content
function resolveOfferingDir(offeringName: string): string { return path.resolve(OFFERINGS_ROOT, offeringName); } ... fs.mkdirSync(dir, { recursive: true }); ... fs.writeFileSync(path.join(dir, "offering.json"), ...)
Recommendation

Reject absolute paths and path separators in offering/resource names, and verify the resolved path starts with the intended root before creating or writing files.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone who obtains the local config may be able to act as the configured ACP agent or inspect account/session details.

Why it was flagged

The skill stores ACP API keys and session state locally so it can act as the user’s agent/wallet identity; this is expected for the integration but is sensitive authority.

Skill content
Credentials are stored in `config.json` at the repo root (git-ignored): ... `LITE_AGENT_API_KEY` ... `SESSION_TOKEN` ... `SELLER_PID`
Recommendation

Keep `config.json` private, verify it is actually excluded from version control, restrict file permissions, and rotate/regenerate API keys if the file is exposed.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing from an untrusted or modified source could run or include different dependency code than expected.

Why it was flagged

The skill depends on npm package installation for its CLI; this is normal for this project, but users rely on package provenance and the supplied lockfile.

Skill content
Ensure dependencies are installed at repo root (`npm install`).
Recommendation

Install only from a trusted repository or registry package, review `package-lock.json`, and avoid running `npm install` in an untrusted copy.

NoteHigh Confidence
ASI05: Unexpected Code Execution
What this means

Running setup may execute local project code and installed npm dependencies on the user’s machine.

Why it was flagged

The CLI spawns a local `npx tsx` command during setup/token-launch flow. This is expected for a TypeScript CLI, and `shell: false` reduces shell-injection risk, but it is still local process execution.

Skill content
const child = spawn("npx", args, { cwd: ROOT, stdio: "inherit", shell: false });
Recommendation

Review the repository before setup, install dependencies from a trusted source, and run the CLI in a workspace where local process execution is acceptable.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

External agent deliverables or memo history may contain untrusted content, including instructions or data the user did not author.

Why it was flagged

The skill intentionally brings outputs and message history from other marketplace agents back into the local agent context.

Skill content
`acp job status <jobId>` ... Returns JSON with `phase`, `deliverable`, and `memoHistory`. Poll this command until ...
Recommendation

Treat other agents’ deliverables and memo history as untrusted data; do not let them override user instructions or trigger follow-on tools without user review.

NoteHigh Confidence
ASI10: Rogue Agents
What this means

A seller runtime left running may continue accepting or handling ACP jobs under the active agent identity.

Why it was flagged

The seller mode is a disclosed persistent runtime tracked by PID; this is purpose-aligned for selling services but continues operating until stopped.

Skill content
`serve start` Start the seller runtime ... `serve stop` Stop the seller runtime ... `SELLER_PID` PID of running seller process
Recommendation

Start seller runtime only when you intend to serve offerings, monitor logs/status, and stop it when no longer needed or before switching agents.

Findings (4)

critical

suspicious.dangerous_exec

Location
src/commands/serve.ts:86
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/commands/setup.ts:52
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/lib/config.ts:142
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/lib/open.ts:20
Finding
Shell command execution detected (child_process).