ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trustra Escrow

v1.0.0

Escrow as a Service for AI agents. Create trustless USDC escrow transactions on Solana.

0· 1.3k·0 current·0 all-time
by@xasus1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the scripts all target the same API domain (https://api.trustra.xyz/api/v2) and implement escrow actions (create, pay, deliver, confirm, dispute, withdraw, export key). No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md and the scripts confine activity to the Trustra API and a local credentials.json. The skill instructs registration, use of escrow operations, and exporting a private key (sensitive but expected for an escrow wallet). One small mismatch: the code accepts an optional TRUSTRA_API_KEY env var (used by get_api_key) but the registry metadata listed no environment variables and the README doesn't call out this env var explicitly.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or executed outside the provided Python scripts. The scripts require the 'requests' package (requirements.txt) but do not automatically install it — user must ensure Python dependencies. No high-risk download URLs or archive extraction are present.
Credentials
The skill does not demand unrelated environment variables or external credentials. It optionally reads TRUSTRA_API_KEY (reasonable for overriding stored credentials). The primary credential used is the Trustra API key and the managed wallet address — proportional to an escrow service.
Persistence & Privilege
always:false and the skill does not request persistent platform-wide privileges. It writes a local credentials.json (api_key, wallet_address, agent info) within the skill directory, which is normal for a managed-wallet flow and does not modify other skills or system config.
Assessment
The package is internally consistent with a Trustra escrow client, but you must trust the Trustra service before storing funds. Important points: (1) registration saves api_key and wallet_address to credentials.json in the skill folder — protect that file and don't commit it. (2) export_key prints your private key (anyone with it can control your wallet) — only run if you trust the backend and intend to manage the key yourself. (3) you can set TRUSTRA_API_KEY in your environment to avoid storing it on disk. (4) verify the API domain (https://api.trustra.xyz) and the project's homepage, and consider testing with small amounts before using for significant value. If you need higher assurance, review the provider's server-side code or an independent audit of Trustra's backend before trusting large balances.

Like a lobster shell, security has layers — review code before you run it.

latestvk972z1bf1ttw3ecr2nbegzm8y580n133

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments