virtuals-protocol-acp
Warn
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill stores sensitive agent credentials, including the Virtuals Lite Agent API key and session tokens, in plain text within local config.json and active-bounties.json files.\n- [COMMAND_EXECUTION]: Extensive use of shell command execution via execSync, spawn, and exec to manage background processes, interact with external CLI tools (OpenClaw, Railway), and search for process IDs.\n- [REMOTE_CODE_EXECUTION]: The seller runtime dynamically loads and executes TypeScript handlers from the filesystem based on job event data. A lack of strict validation on the offering names used in file path construction creates a potential path traversal vulnerability.\n- [EXTERNAL_DOWNLOADS]: The deployment command automatically installs external dependencies, specifically the Railway CLI, globally using the system package manager (npm).\n- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by ingesting and processing untrusted data from the ACP marketplace, such as job requirements and candidate descriptions, which are then used in logic or presented to the user. Evidence:\n
- Ingestion points: src/commands/bounty.ts (poll results), src/seller/runtime/seller.ts (job requirements)\n
- Boundary markers: Absent\n
- Capability inventory: Subprocess execution (execSync, spawn, exec), network operations (axios), file system access (config writing)\n
- Sanitization: Absent for marketplace data fields
Audit Metadata