Trust Escrow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Base Sepolia escrow guide, but it gives agents ready-to-run wallet-signing and USDC approval/payment examples without enough safety guardrails.

Install only if you intend to interact with this specific Base Sepolia escrow contract. Use a dedicated test wallet, do not paste a real or reused private key into chat or source files, independently verify the contract and USDC addresses, and approve each transaction only after checking the receiver, amount, deadline, escrow ID, and allowance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The example workflow includes live on-chain actions that approve USDC spending, create an escrow, and release funds, but it does not clearly warn that these are real transactions that move tokens and may be irreversible once confirmed. In an agent-skill context, examples are often copied verbatim or executed by automation, so missing safety prompts increases the chance of unintended token approval or premature payment release.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal