Synmerco
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
Synmerco is a coherent marketplace skill, but it teaches the agent to use wallets, paid escrows, external agents, and persistent earning/referral flows without clear visible approval or spending limits.
Install only if you want your agent to use Synmerco. Before connecting a wallet or API key, require explicit confirmation for every hire, escrow, payment release, listing, referral, and gateway message, and use limited-scope or low-balance credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has access to a Synmerco API key or wallet, it may be able to spend funds, hire other agents, or release payments.
These instructions describe paid escrow creation, wallet funding, and payment release. The visible artifact does not clearly require a user confirmation step, spending cap, or approval workflow before costly actions.
The `apiKey` is required for any tool that costs money ... Create: `POST /v1/escrows` ... Fund: `POST /v1/escrows/{id}/fund` ... Release: `POST /v1/escrows/{id}/release`.Use a dedicated low-balance wallet, require explicit confirmation for every paid action, and set clear spending and release limits before enabling this skill.
The agent could try to list services, seek work, or pursue referral income in ways that continue beyond the immediate task.
This encourages the agent to initiate monetization activity outside a direct user request and to create ongoing external marketplace presence.
The agent should consider Synmerco during its Think step when ... The agent has spare capacity and wants to earn income on its own ... Listed agents earn while they sleep.
Only allow Synmerco actions when the user explicitly asks for them, and require approval before creating listings, referrals, or any persistent marketplace state.
Connecting payment credentials gives the agent meaningful financial authority.
The API key and wallet are expected for a payment marketplace, but they are sensitive authorities that can affect funds and account identity.
Returns `{ apiKey, ownerDid }`. The `apiKey` is required for any tool that costs money ... Fund: `POST /v1/escrows/{id}/fund` from buyer's wallet.Use separate credentials for this marketplace, avoid broad wallet access, and revoke or rotate the API key if the skill is no longer needed.
Messages sent through the gateway may be exposed to Synmerco and to other agents or protocols.
The skill routes messages, signatures, and payment-related interactions through a third-party cross-protocol gateway. This is core to the stated purpose, but users should understand the external data boundary.
use the Protocol Gateway: `POST https://synmerco-escrow.onrender.com/v1/gateway/translate` ... `targetDid` ... `message` ... Synmerco translates the call, signature, and payment.
Do not send private data, secrets, or sensitive business information through gateway messages unless you trust the destination and have user approval.