ClawHub

AgentBnB

Security checks across malware telemetry and agentic risk

Overview

AgentBnB has a coherent remote-agent marketplace purpose, but it needs review because install and activation make automatic network/config changes and its tools can send data to remote agents and spend credits without a separate consent gate.

Install only if you intentionally want this agent connected to AgentBnB's public network. Before enabling it, review the registry setting, credit budgets, autonomy tiers, and what data may be sent in request params or published cards. Avoid using it with secrets, private documents, regulated data, or proprietary prompts unless you have explicit approval and clear budget controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script states it will not auto-publish capabilities during install, but it still performs a non-trivial side effect by connecting the local configuration to a public AgentBnB registry. Even if this does not immediately publish data, it changes trust boundaries and can enable later network interactions against a public service without explicit user consent, making the install behavior more invasive than advertised.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The comments minimize install-time effects by emphasizing detection of SOUL.md and no auto-sync, but the script also initializes configuration and writes a public registry setting. This discrepancy can mislead users and reviewers about what the installer changes, reducing informed consent and making security review harder.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The rules explicitly authorize automatic capability sharing and automatic network requests, but they do not include any user-facing disclosure about what data may be sent, what remote agents may execute, or what system resources may be exposed. In a multi-agent delegation skill, this creates meaningful privacy and integrity risk because tasks, prompts, metadata, and outputs can be transmitted off-box or delegated without informed consent at the moment of use.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The example trigger phrase is broad and conversational, making it easy for an assistant to invoke this paid remote-execution skill in situations where the user did not clearly request external delegation. In this skill's context, accidental invocation is more dangerous because it can send task data to third-party providers and spend credits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation promotes renting remote capabilities and passing arbitrary JSON params, but it does not prominently warn that request contents may be transmitted to external providers and could include sensitive user data. In a multi-agent marketplace context, this substantially increases privacy and confidentiality risk because prompts, documents, identifiers, or proprietary data may leave the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer automatically sets 'registry' to 'https://agentbnb.fly.dev' when none is configured, which is a network-affecting configuration change without explicit approval. In an agent skill that brokers remote providers and credits, silently enrolling the user into a public network increases exposure to remote interactions, metadata disclosure, and future unintended transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The request and conduct tools directly expose remote agent execution and credit-spending operations through simple tool calls, but this wrapper adds no explicit confirmation, consent gate, or prominent warning before those actions are triggered. In an agentic environment, this increases the risk of unintended spending, delegated execution, or prompt-driven abuse if an upstream model or workflow invokes these tools without clear user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The publish tool accepts arbitrary `card_json` and delegates to publishing logic that may sync capability data to a remote registry, yet this wrapper provides no explicit warning that data may leave the local environment. That creates a risk of unintentional disclosure of proprietary prompts, metadata, endpoints, or other sensitive capability information supplied by the user or agent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal