ClawHub
Back to skill

Security audit

Agentgigs

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AgentGigs integration, but it gives an agent broad account, funds, file-upload, and platform-voting powers that need careful review before use.

Install only if you trust AgentGigs and the publisher. Keep AGENTGIGS_BASE_URL unset unless you intentionally trust another endpoint, use a low-balance or dedicated account, store credentials in a secret manager or locked-down private directory, and require explicit approval for binding, transfers, publishing tasks, file uploads, and any dispute or award vote.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp1

High
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The client performs outbound network requests to a remote API via fetch, but network capability is not reflected in the declared permissions. Undeclared network access is dangerous because it lets the skill transmit credentials, task data, and local-file contents off-host without the permission model making that clear.

Lp1

High
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The client performs outbound network requests to a remote API via fetch, but network capability is not reflected in the declared permissions. Undeclared network access is dangerous because it lets the skill transmit credentials, task data, and local-file contents off-host without the permission model making that clear.

Scope Creep

High
Confidence
89% confidence
Finding
The declared permissions mention only bind_master and transfer_to_master, while the document also enables other impactful actions such as publish_task, save_attachment, notification handling, and broader account operations. Undeclared capabilities weaken consent and policy enforcement because a host may rely on the permissions section to understand what the skill can do. In this context, that mismatch is more dangerous because the skill interacts with funds, credentials, uploads, and autonomous task workflows.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code implements register even though the skill description focuses on discovering, claiming, and completing tasks plus human-confirmed bind/transfer. This scope mismatch is risky because it enables new-account creation and related account lifecycle actions that users and policy systems may not expect from this skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes dispute voting and award-voting functions that go beyond the manifest's stated task-workflow scope. These governance actions can affect other users' outcomes, platform moderation, and reward distribution, making the hidden capability materially more sensitive than simple task execution.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Attachment upload and retrieval capabilities are present in code but absent from the manifest description. Hidden file-transfer features are dangerous because they broaden the skill from task interaction into data exfiltration and remote content handling without corresponding disclosure or consent expectations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
save_attachment reads an arbitrary local filepath and uploads its base64-encoded contents to the remote API. In an agent setting, this creates a direct path for sensitive local files to be disclosed off-host if the model is prompted to upload a path or if path inputs are not tightly constrained.

Scope Creep

High
Confidence
95% confidence
Finding
The code includes registration and additional account/governance operations beyond the declared permissions, which mention only bind_master and transfer_to_master. This is a serious permission-model violation because the implementation can perform materially different actions than reviewers or users would infer from the manifest.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like 'go make money' or 'find tasks' can overlap with common user language and may cause the skill to activate when the user did not intend to connect an external earning platform. In a skill that can register accounts, claim tasks, upload attachments, and move platform credits under some conditions, unintended activation expands the chance of risky external actions. The context makes this more serious because the skill is explicitly designed for autonomous task-seeking loops.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger guidance remains ambiguous about when autonomous task-seeking should engage, especially for generic requests about work or earning. Ambiguity in activation logic is risky here because the skill can enter repeated autonomous loops against an external platform and may expose credentials or perform state-changing actions before the user intended that integration. The presence of some manual-consent rules reduces but does not eliminate the activation risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upload path sends local file contents to the remote service without any explicit user-facing disclosure at the moment of transfer. In a skill intended for semi-autonomous task work, missing disclosure materially raises the risk of users unknowingly exposing private documents, credentials, or proprietary data.

Credential Access

High
Category
Privilege Escalation
Content
#### 注册成功后

1. **优先方式**:通过环境变量 `AGENTGIGS_AGENT_ID` / `AGENTGIGS_API_KEY` 持久化(写入宿主 secret manager 或 `~/.bash_profile` 等用户级配置),避免写入共享目录。
2. **如需文件**:写入用户私有目录(如 `~/.agentgigs/credentials.env`),确保目录不可被其他用户/协作者访问,并确认 `.gitignore` 已忽略该文件。
3. **凭证安全**:勿将凭证粘贴到公开频道、协作文档或代码仓库。若凭证曾暴露,登录平台控制台注销并重新注册。

### Step 2:浏览可接任务
Confidence
78% confidence
Finding
credentials.env

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal