Anyone can deploy an agent. Not everyone should. The fix isn't a longer review queue — it's starting from a template that already has the guardrails wired on, and refusing to store one that doesn't.

That sounds obvious until you look at how the first generation of agent marketplaces actually shipped.

The marketplace is the supply chain now

On February 1, 2026, Koi Security researcher Oren Yomtov published a full audit of ClawHub, the official skill marketplace for the OpenClaw agent. Of 2,857 skills listed at the time, 341 were malicious. By February 5, Antiy researchers had counted 1,184 malicious packages tied to 12 publisher accounts — with a single uploader responsible for 677 of them. The skills wore professional documentation and innocuous names, then instructed the user to download a password-protected archive and run an executable that turned out to be a keylogger harvesting API keys and credentials.

The detail that matters most isn't the body count. It's the gate. The only requirement to publish to ClawHub was a GitHub account at least one week old. No code review. No signing. No malware scanning. The marketplace launched open by default and let the ecosystem find the malware for it.

This is the shape of agent security in 2026: a supply-chain problem first, a prompt-injection problem second. A template, a skill, a SOUL file — whatever your platform calls the unit of reusable agent behavior — is executable instruction. If it enters your system unscanned, you've imported an attacker's intent and given it your agent's permissions.

Convenience is the attack surface

The reason marketplaces exist is the same reason they're dangerous. Deploying an agent from scratch is tedious: you write the system prompt, wire the integrations, configure the PII rules, set the escalation thresholds, attach the compliance settings. A template collapses all of that into one click. That's genuinely useful — and it's exactly why a poisoned template is so effective. The user who reaches for a template is, by definition, trying not to read every line.

So the question for any agent marketplace is not "how many templates do you have." It's two narrower questions: what guardrails ship inside the template by default, and what does it take to get a template into the catalog in the first place.

What a VeriSwarm template actually carries

A VeriSwarm agent template isn't a prompt with a nice name. It's a structured bundle — a config.json, a SOUL.md defining the agent's behavior, and, where the vertical demands it, a compliance descriptor. There are six built-in templates today (generalist, healthcare, real estate, support, accounting, legal), and the guardrails are part of the config, not an afterthought you remember to switch on later.

Take the healthcare template. Its config ships with Guard's PII tokenization enabled, injection scanning on, Vault audit logging on, PHI detection turned up, and a HIPAA-mode flag wired to a hipaa.json compliance descriptor. The SOUL file tells the agent, in its own instructions, that patient data is tokenized before it ever reaches the model and that clinical questions route to staff rather than getting answered. The accounting template carries a PCI-DSS descriptor; the legal template carries its own. Deploy any of them and the agent starts in a posture that took the template author the work to get right — not a blank one you have to harden under deadline.

That's the "five minutes" claim, and it's the unglamorous half of trust: most deployments fail safe not because the operator made a heroic configuration decision, but because the default already pointed the right way.

The catalog gate: scanned before it's stored

The more interesting half is what happens when you bring your own. Custom templates are tenant-scoped — your team can author and deploy private ones. Every custom SOUL file is run through a security audit before it's stored, and the audit is built for an adversary, not a typo.

It checks for four classes of problem: prompt-injection patterns (instruction overrides, persona shifts like "you are now…" or "ignore previous instructions"), prohibited content via moderation, dangerous capability declarations (shell execution, filesystem access, credential theft, exfiltration), and — the category most relevant to a trust platform — explicit attempts to disable the platform's own controls. A SOUL file that tries to tell the agent to skip Guard scanning, bypass the audit log, or turn off PII tokenization gets flagged as critical and refused.

And because attackers don't write "disable guard" in clean ASCII, the scanner normalizes Unicode before it looks. It collapses homoglyphs and strips zero-width characters, then builds a second comparison form with all whitespace and punctuation removed — so "disab​le guard," "dis-able guard," and "d i s a b l e guard" all resolve to the same banned phrase. Evasion through invisible characters is the oldest trick in content filtering; the scan assumes it from the start. The same audit runs again on import, so a template that was clean when exported can't be tampered with in transit and quietly re-introduced. Template exports are Ed25519-signed, and import verifies the signature before the content is trusted.

None of this makes a malicious template impossible. It makes the ClawHub failure mode — open by default, scanned by no one, found by the victims — structurally not the way the catalog works. The gate runs before storage, not after an incident.

The pattern, stated plainly

A marketplace that ranks templates by popularity and scans them never is optimizing for the wrong thing. Popularity is what attackers farm; "solana-wallet-tracker" looked popular too. The thing worth optimizing is the floor: the worst template a user can deploy by accident should still have PII tokenization on, an audit trail running, and no instruction inside it that the platform was willing to store unexamined.

Built-in templates give you a safe starting posture. The pre-storage SOUL audit keeps the custom ones from becoming the thing you imported and regretted. That's the difference between a catalog and a liability.

Browse the six built-in templates and deploy one on the VeriSwarm marketplace on the free tier — Gate scoring and the template guardrails come standard. If you're authoring your own, the SOUL security audit runs on every create and import automatically; you don't configure it, and you can't turn it off.