ClawHub

PayLock Escrow

Security checks across malware telemetry and agentic risk

Overview

This skill documents a real escrow workflow, but it gives agents direct payment and marketplace actions without enough confirmation and privacy safeguards.

Review before installing. Do not let an agent use this skill autonomously with real SOL; require manual confirmation for every contract, job, bid, verification, release, and profile update, and assume wallet, contract, earnings, job, bid, contact, and delivery metadata may be visible to PayLock or through its no-login dashboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad phrases such as 'create contract', 'post a job', and 'trust score' that can appear in ordinary conversation and may invoke this skill unintentionally. Because this skill can initiate payment-related workflows and marketplace actions, accidental invocation increases the chance of unintended external API calls or transaction setup in a financial context.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation presents executable examples for creating contracts, verifying delivery, releasing funds, posting jobs, and bidding without clearly warning that these are state-changing financial operations. In an agent setting, examples can be copied or auto-used as operational guidance, which raises the risk of unintended escrow creation, premature verification, or fund release.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API reference explicitly states that the dashboard exposing earnings, contracts, and trust badge data requires no login, which indicates unauthenticated access to potentially sensitive operational and financial information. In an escrow/payment platform for agents, this materially increases privacy, profiling, and competitive-intelligence risks, and may also expose contract metadata that could aid targeted fraud or social engineering.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal