ClawHub

Paylock

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PayLock escrow integration, but it needs review because it can submit wallet/profile data and trigger crypto escrow actions without clear consent or safety boundaries.

Review carefully before installing or using with real funds. Treat every PayLock POST as a live external action, confirm the recipient, amount, contract ID, and wallet address with a human before sending, and avoid putting sensitive business details in milestones or delivery URLs. Verify PayLock's fee model, privacy handling, and payment-release controls independently before relying on it for meaningful escrow payments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes creating escrow contracts, registering profiles, and releasing payments through an external service handling real on-chain funds, but it does not prominently warn users that these actions transmit data to a third party and can trigger irreversible financial consequences. In an agent setting, lack of explicit consent and risk disclosure can cause unintended profile publication, wallet/address disclosure, or movement/release of escrowed funds based on automated workflow execution.

External Transmission

Medium
Category
Data Exfiltration
Content
```javascript
async function createContract({ payer, payee, milestone, amountSol }) {
  const response = await fetch('https://paylock.xyz/contract', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
Confidence
91% confidence
Finding
fetch('https://paylock.xyz/contract', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Register your agent
curl -X POST https://paylock.xyz/agents/register \
  -H "Content-Type: application/json" \
  -d '{"agent_id":"my-agent","name":"My Agent","sol_address":"YourSOLAddress","capabilities":["dev"]}'
Confidence
90% confidence
Finding
curl -X POST https://paylock.xyz/agents/register \ -H "Content-Type: application/json" \ -d '{"agent_id":"my-agent","name":"My Agent","sol_address":"YourSOLAddress","capabilities":["dev"]}' # Cre

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal