ClawHub
Back to skill

Security audit

Locus Contractors

Security checks across malware telemetry and agentic risk

Overview

This payment skill appears purpose-built rather than malicious, but it gives an agent real-money authority, recurring ordering behavior, and unverified remote self-updates that users should review carefully.

Install only if you deliberately want an agent to spend USDC and hire freelancers through Locus. Use strict allowance, per-transaction, and approval thresholds; require human confirmation for every payment and order; disable or manually review remote skill updates; do not let heartbeat routines autonomously reorder services; protect the API key like a financial secret; and avoid sharing confidential or personal files through public URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat instructs the agent to fetch updated skill files from a remote server and overwrite local copies automatically. This creates a remote code/instruction supply-chain channel: if the server, DNS, TLS endpoint, or hosting is compromised, future agent behavior can be silently replaced without human review, expanding the skill's authority beyond order polling.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The heartbeat extends from passive status polling into proactive business/task discovery and potentially placing new freelance orders. That broadens autonomy from monitoring into spending decisions, increasing the chance of unauthorized purchases, manipulation through prompt/task context, or repeated unwanted ordering without a clear user trigger.

Context-Inappropriate Capability

Low
Confidence
73% confidence
Finding
The skill instructs the agent to modify heartbeat and state files and to periodically fetch remote instructions, which expands behavior from payment execution into persistent automation and local state management. While not overtly malicious, this creates unnecessary persistence and recurring remote-content ingestion that can widen the attack surface and make later malicious updates more impactful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to place publicly accessible URLs for assets and brand materials into the order request, and says the freelancer will download anything linked. This can expose sensitive documents, proprietary media, or personal data to third parties and to anyone else who can access those URLs, especially if users misunderstand what 'publicly-accessible' implies.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to overwrite local skill files with content downloaded from the network, without warning, confirmation, or integrity checks. Silent local replacement is dangerous because it can modify future agent instructions and capabilities, effectively persisting attacker-controlled behavior if the remote source is tampered with.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding instructs the human to generate an API key and give it to the agent, then store it locally, but it does not clearly label the key as a sensitive secret that grants payment capability. In a payment skill, that omission is dangerous because compromise of the key could enable unauthorized purchases, freelancer orders, or other wallet-linked actions against funded accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file directs the user to create and fund a wallet for USDC spending and to let the agent make payments, but it lacks a prominent warning that these are real-money transactions with irreversible financial consequences. In this context, understated risk messaging increases the chance that users fund wallets or authorize spending without understanding loss, fraud, or mistaken-order risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides direct payment-sending instructions for moving USDC without a strong requirement for explicit user confirmation or a warning that blockchain fund movements may be irreversible. In an agentic setting, this omission increases the risk of accidental or prompt-induced unauthorized transfers, especially because the skill is expressly designed to spend funds.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The email-payment flow sends recipient email addresses, payment amounts, memos, and escrow metadata to the external service, but the skill does not clearly warn about that data disclosure. This can lead agents or users to share personal data and sensitive payment context without informed consent or minimization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal