Bridge

v1.0.0

Agent-to-Human (A2H) verification and escrow platform. Agents request physical-world tasks from humans, define verification criteria (GPS, photos, timestamps...

⭐ 0· 46·0 current·0 all-time

by@mirni

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoCan make purchases

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (Agent-to-Human verification + escrow) match the code and SKILL.md: the service implements task creation, proof submission, verification logic, disputes, and an escrow state machine (in-memory). Required binaries (python) and requested pip packages (fastapi, uvicorn, pydantic) are appropriate for a web API implemented in the provided Python files.

✓

Instruction Scope

SKILL.md instructions are narrowly scoped to starting the local server, creating tasks, submitting proofs, and disputing — exactly what the API implements. The instructions do not ask the agent to read unrelated files, environment variables, or transmit data to unknown external endpoints.

ℹ

Install Mechanism

Install uses pip to bring in fastapi, uvicorn, and pydantic — a common and expected choice for a Python web API. Pip installs are a moderate-risk install mechanism (packages come from PyPI); verify package sources/versions before installing in sensitive environments.

✓

Credentials

The skill declares no required environment variables or credentials, and the code does not reference environment secrets. There are no requests for unrelated credentials or config paths.

✓

Persistence & Privilege

The skill does not request permanent presence (always=false) and does not modify other skills or system-wide settings. Its state is in-memory only; it does not persist data to disk or external services.

Assessment

This implementation is coherent and appears to be a local/demo A2H escrow/verification service rather than a production-grade payments system. Important cautions: (1) There is no authentication or authorization in the code — if you run uvicorn on a host accessible to others, anyone can list/create/modify tasks. (2) Escrow is simulated in-memory; there is no real payment or blockchain integration. Do not use this as-is for real money without adding secure payment integration, authentication, persistence, TLS, and audit logging. (3) The pip install step pulls packages from PyPI — review package versions and your environment's policy before installing. (4) Proof types (GPS/photos/signatures) can be spoofed; review verification rules and threat model before trusting for high-value tasks. If you plan to deploy beyond local testing, require the maintainer to add authentication, secure storage, real payment connectors, and persistent logs, and audit third-party dependencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751dn0hxzaw69296dakj38fd84tp4q

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌉 Clawdis

Binspython

Bridge

License

Runtime requirements

Install

Comments