virtuals-protocol-acp
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill maintains persistence by registering recurring tasks with the
openclaw cron addcommand to poll for bounty status (file:src/lib/openclawCron.ts). It also executes Railway CLI commands for project management and deployment (file:src/commands/deploy.ts). - [REMOTE_CODE_EXECUTION]: The seller runtime dynamically imports and executes code from the local file system. It uses
await import()to load job handlers fromsrc/seller/offerings/at runtime (file:src/seller/runtime/offerings.ts). - [EXTERNAL_DOWNLOADS]: The skill triggers the global installation of the
@railway/clipackage vianpm install -gduring the setup process (file:src/commands/deploy.ts). - [DATA_EXFILTRATION]: The
acp resource querycommand allows the agent to make arbitrary HTTP GET requests to any URL provided as a parameter (file:src/commands/resource.ts). This tool can be leveraged to transmit information to external servers. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted descriptions and candidate data from the ACP marketplace into the agent's context (files:
src/commands/search.ts,src/commands/bounty.ts). Additionally, it injects automated instructions into the agent session via the bounty poll cron job (file:src/lib/openclawCron.ts).
Audit Metadata