Arc Security - Agent Trust Protocol
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s blockchain trust/payment purpose is mostly coherent, but it uses a wallet private key to sign transactions, can spend or stake USDC, and installs remote ZIP packages with weak safeguards that users should review carefully.
Review this skill before installing. If you use it, configure only a dedicated test wallet with minimal funds, verify the contract and x402 server yourself, do not reuse a main wallet private key, and avoid using the 'use' command unless downloaded packages are signed and extracted safely.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can initiate wallet transactions such as claims, votes, payments, earnings withdrawals, approvals, and staking actions from the configured wallet.
The code reads a wallet private key from the environment and uses it to sign blockchain transactions. This is high-impact account authority, and it is not declared in the registry requirements or skill.json config.
self.private_key = os.getenv('PRIVATE_KEY') ... signed_tx = self.w3.eth.account.sign_transaction(tx, self.private_key)Use only a dedicated low-balance test wallet, do not reuse a main wallet private key, and require the skill to declare PRIVATE_KEY as a primary credential with clear transaction limits and confirmations.
A malicious or misconfigured payment server could cause the skill to approve or attempt to pay more USDC than the user expected.
The payment amount comes from the x402 server response and is then approved/used for payment. This is not capped to the documented 0.10 USDC after the user has confirmed that expected fee.
amount_wei = int(payment_data.get('amount', 100000)) ... usdc_contract.functions.approve(..., amount_wei)Fetch the 402 payment request before confirmation, display the exact amount and recipient, enforce a maximum expected fee, and reject mismatches unless the user explicitly approves the new amount.
A hostile ZIP package could overwrite files outside the intended directory or install untrusted skill code that the agent may later run.
The skill downloads a ZIP from the configured payment server and extracts it directly without package signature checks, hash verification, or path traversal protection.
with zipfile.ZipFile(filename, 'r') as zip_ref:
zip_ref.extractall(install_dir)Only install signed/verified packages from trusted sources, validate ZIP entry paths before extraction, extract into a sandboxed directory, and ask the user before enabling downloaded code.
Users may over-trust and install a skill merely because it is bonded or not yet flagged, even if it has not been meaningfully reviewed.
The skill labels any bonded, unflagged skill as 'Safe to use' even though the artifacts show no independent code review, signature verification, or trust threshold enforcement.
print(f"├─ Status: {'🚩 Flagged for review' if flagged else '✅ Safe to use'}")Use neutral wording such as 'not currently flagged,' show the trust score inputs, require clear verification criteria, and avoid presenting economic bonding alone as proof that code is safe.