Decentralized Agent Cloud
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent as a compute marketplace, but it describes autonomous, API-key-backed, billable remote execution without clear spending or data-sharing guardrails.
Install only after verifying the npm package and repository. If you use it, set strict budget limits, require confirmation before each paid job, use limited-scope API keys, and avoid sending sensitive data to decentralized providers unless their privacy and security controls are clear.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this with account access could start paid remote compute jobs or marketplace skill executions unexpectedly.
This frames the skill as allowing autonomous agents to trigger billable compute purchases, but the visible instructions do not define mandatory confirmation, budget caps, or approved-skill scope before execution.
Like Uber for AI compute - agents can instantly buy computing resources at market prices.
Require explicit user approval, per-task and total budget limits, and an allowlist of permitted marketplace skills before any billable execution.
If a broad or production API key is used, actions taken through the skill may affect the user's service account or bill.
The integration expects a provider API key and agent identity. That is purpose-aligned, but it gives delegated access to the user's account and likely billing authority.
const client = createAgentClient({
apiKey: 'your-api-key',
agentId: 'my-agent',
});Use a limited-scope key where possible, enable provider-side budgets or quotas, and avoid giving the agent production credentials unless necessary.
Prompts, scripts, datasets, or other task inputs may be handled by external compute providers.
The skill's core design sends tasks to decentralized or peer providers. This is expected for the purpose, but the visible artifact does not describe provider identity checks, data retention, isolation, or confidentiality boundaries.
A peer-to-peer marketplace where AI agents can discover and execute computational skills (video generation, data processing, ML inference, etc.)
Do not send sensitive data unless the provider trust model, encryption, retention, and access controls are clear.
Installing the npm package may run or later load code that was not part of this review.
The skill points to an npm dependency with an open version range, while the supplied review context contains no package code or install spec. This is not inherently malicious, but users must trust code outside the reviewed artifact.
packages:
- name: openclaw-decentralized-agent-cloud
source: npm
version: ">=0.1.0"Pin an exact package version, verify the npm package and repository provenance, and review the package before installation.