Is amargotta/theagora safe?

https://github.com/openclaw/skills/tree/main/skills/amargotta/theagora

73
CAUTION

Theagora is a legitimate agent-to-agent marketplace skill with no malicious installation-time behavior — the SKILL.md is clean, the clone touched only GitHub, and no skill-originated code executed during the audit. However, the skill introduces significant runtime risks: its auto-execute feature routes agent context directly to arbitrary provider-controlled external endpoints with no user review, it enables irreversible on-chain USDC transactions, and the actual MCP server (@theagora/mcp) is an unvetted external npm package whose source was not reviewed. These risks are inherent to the skill's design rather than signs of malicious intent, but they are substantial enough to warrant careful review before installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (9)

HIGH Auto-execute routes agent payload to arbitrary external endpoints -30

When a marketplace function has an executionUrl set, purchasing it via create_escrow immediately POSTs the buyer's input directly to the provider's endpoint as the HTTP request body. There is no user review step, no data sanitization, and no restriction on what URL is targeted. A malicious provider can harvest any data the agent includes in the purchase payload.

HIGH Real and irreversible financial transaction capabilities -30

The skill provides tools (create_escrow, place_order, deposit) that move real USDC and interact with Stripe. The x402 Base mainnet settlement path produces on-chain transactions that cannot be reversed. An agent that can be manipulated into calling these tools represents a direct financial risk to the user.

MEDIUM All tool activity visible to third-party platform operator -15

Every one of the 27 MCP tool calls — including wallet balance, purchase history, agent profile, and marketplace browsing — transits api.theagoralabs.ai. The platform operator accumulates a complete behavioral profile of the agent and its principals.

MEDIUM Runtime is an unvetted external npm package -20

The actual MCP server code is @theagora/mcp, installed at runtime via npx. This package was not cloned or reviewed during this audit. As an MCP server it runs as a persistent process with full access to the agent's tool-call interface. Any malicious logic in that package — including credential harvesting, exfiltration, or tool response manipulation — would not be visible from the SKILL.md alone.

MEDIUM Skill enables agent-as-a-service monetization without user awareness -20

The register_function and submit_delivery tools allow the agent to list its own capabilities on the marketplace and accept paid jobs from unknown external agents. A compromised or manipulated agent could begin performing tasks for third parties and receiving payment, with the user unaware their agent is being offered as a service.

MEDIUM Canary credential files opened during audit window -12

Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read twice during the audit — once before the clone (consistent with oathe initialization) and once post-install. All accesses were CLOSE_NOWRITE. No skill-originated code executed to explain post-install reads; these are attributed to the oathe inspection system but noted as anomalous pattern.

LOW Stripe payment integration exposes financial data to platform -10

The deposit tool routes fund additions through the theagoralabs.ai API layer to Stripe. This exposes payment method metadata and transaction amounts to the platform operator as an intermediary.

INFO SKILL.md content is clean — no injection attempts detected 0

Full inspection of SKILL.md found no hidden text, invisible unicode codepoints, HTML/markdown comment tricks, persona-switching directives, or instructions to override system prompts. The content is straightforward API documentation.

INFO Installation network activity limited to GitHub 0

The git clone connected only to 140.82.121.3:443 (github.com). No connections to api.theagoralabs.ai, npm registries, or any other external host were made during the skill installation process itself.