Skillv1.0.0

ClawScan security

Trust Escrow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and code samples match its escrow purpose, but the runtime instructions implicitly require handling users' private keys and external websites while declaring no credentials or provenance — this mismatch raises security concerns.
Guidance: Before installing or using this skill: 1) Treat the skill as requiring transaction signing even though it doesn't declare credentials — do NOT paste private keys into the agent. Use an external signer (hardware wallet, WalletConnect, or an ephemeral signing service) if you intend to interact. 2) Verify the contract and USDC token addresses on a block explorer and review the escrow contract source yourself (or ask the author for verified source). 3) Confirm the skill's provenance: who published it, and does the web app/agent docs belong to a reputable project? 4) If you must test, use a throwaway account with minimal funds on the Sepolia testnet first. 5) Prefer skills that explicitly declare credential needs and recommend secure signing flows; if the agent will ever have signing power, restrict autonomous invocation or require explicit user approval for transactions.

Review Dimensions

Purpose & Capability: okName, description, and SKILL.md functions (create/release/autoRelease/dispute, batch ops) align with an on-chain USDC escrow contract on Base Sepolia. Contract and token addresses, RPC, and code examples are consistent with the stated purpose.
Instruction Scope: concernThe SKILL.md contains concrete wallet code that requires a raw private key (privateKeyToAccount('0xYOUR_PRIVATE_KEY')) and shows writeContract calls. It does not instruct safe signing practices (e.g., external signer, hardware wallet, WalletConnect) and gives no constraints on where the private key comes from. That creates a real risk that an agent following these instructions could request, store, or transmit private keys. The doc links to external web apps (vercel.app) and an 'agent-info' page — these could be legitimate integration docs but are external endpoints the agent might contact; the SKILL.md does not specify or limit what agent-supplied data to send to those endpoints.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low install risk because nothing is written to disk by an installer. The scanner had no code to analyze.
Credentials: concernThe skill declares no required environment variables or primary credential, yet its examples require a signing key (private key) and use an RPC endpoint. The implicit need for a private key (or other signer) is not declared nor constrained — a mismatch that could lead to insecure practices (pasting private keys into the agent).
Persistence & Privilege: notealways:false (normal). The skill allows autonomous invocation by default (platform default). While that alone is not a problem, autonomous invocation combined with access to a user's private key would be high-risk — the SKILL.md does not prevent the agent from performing on-chain writes if it obtains signing credentials.