Skill Trust Decision
agentcop
AgentCop skill performs undeclared network communication to agentcop.live for badge API operations and uses an undeclared auto-install mechanism with loose version pinning.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
Undeclared network communication +15
SKILL.md documents badge commands but does not mention agentcop.live API calls
Undeclared auto-install mechanism +10
skill.py auto-installs agentcop from pip without version pinning; documented in README.md but not in SKILL.md
Loose version constraint +10
agentcop>=0.4,<1 allows any 0.x version, introducing supply chain risk
Undeclared filesystem writes +10
Writes to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) not declared as filesystem:WRITE
Most important evidence
Medium Doc Mismatch
Undeclared network communication to agentcop.live
Badge subcommands (generate, verify, renew, revoke, status, markdown) contact https://agentcop.live/badge API but this endpoint is not mentioned in SKILL.md. Users are not informed that badge operations involve external network requests.
skill.py:756 Add explicit documentation in SKILL.md stating that badge commands require network access to agentcop.live
Medium Supply Chain
Unpinned dependency with loose version constraint
The auto-install mechanism installs 'agentcop>=0.4,<1' which allows any 0.x version including potentially compromised future releases.
skill.py:52 Pin to a specific version: agentcop==0.4.2
Low Doc Mismatch
Auto-install mechanism not documented in SKILL.md
README.md mentions auto-install via pip, but SKILL.md (the primary skill documentation) does not mention this behavior, creating a documentation gap for users reviewing the skill.
SKILL.md:1 Document the pip auto-install behavior in SKILL.md or remove it entirely
Low Priv Escalation
Implicit filesystem write access not declared
The skill writes state files to ~/.openclaw/agentcop/ (events.jsonl, sessions, identity.db) but does not declare filesystem:WRITE capability.
skill.py:57 Declare filesystem:WRITE in skill metadata
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
skill.py:57-66 writes to _STATE_DIR Network Block
Declared NONE
→ Inferred WRITE
skill.py:756-773 POSTs to agentcop.live/badge API Shell Block
Declared NONE
→ Inferred WRITE
skill.py:50-54 pip install via subprocess Environment Block
Declared NONE
→ Inferred READ
skill.py:60 reads OPENCLAW_AGENT_ID, AGENTCOP_BADGE_API, AGENTCOP_STATE_DIR Suspicious artifacts and egress
Medium External URL
https://agentcop.live README.md:78
Medium External URL
https://agentcop.live/badge skill.py:754
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| agentcop | >=0.4,<1 | pip | No | Loose version constraint allows any 0.x version - supply chain risk |
File composition
4 files · 1125 lines
Python 1 files · 899 linesMarkdown 2 files · 203 linesJSON 1 files · 23 lines
Files of concern · 3
skill.py Undeclared network communication to agentcop.live · Unpinned dependency with loose version constraint · Implicit filesystem write access not declared · https://agentcop.live/badge
SKILL.md Auto-install mechanism not documented in SKILL.md
README.md https://agentcop.live
Other files · package.json
Security positives
Credential detection patterns are used only for security scanning (LLM06), not exfiltration
Base64 decoding includes safety checks (minimum 8 printable chars)
README.md documents auto-install behavior
SKILL.md provides comprehensive documentation of OWASP LLM Top 10 detection capabilities
No evidence of actual credential theft or data exfiltration beyond declared security scanning
Package.json includes proper metadata, authors, and license information
Exit codes are properly documented