ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PayLock Escrow

v1.0.0

Non-custodial SOL escrow for AI agent deals. Create contracts, lock funds, verify delivery, release payments. Use when: (1) creating escrow contracts between...

0· 75·0 current·0 all-time
byOleksii Kaganovsky@kgnvsk
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (non-custodial SOL escrow, marketplace, trust scores) matches the provided API endpoints and examples. It is plausible that an instruction-only skill would not need local binaries or env vars. However, an escrow/payment integration would normally document how on-chain payments are authorized or how release actions are authenticated; the SKILL.md provides no signing, wallet-key handling, or auth tokens, which is unexpected for a payments API.
!
Instruction Scope
All runtime examples are plain curl calls to paylock.xyz with no authentication headers, signatures, or proof-of-authority shown for sensitive actions (verify, release). The SKILL.md also contains an explicit rule: "We are ALWAYS the payee. NEVER the payer." Combined, these instructions could encourage an agent to create contracts that route client funds to agent-controlled addresses without showing how that is securely authorized or audited. The instructions also reference submitting URLs and hashes as delivery proof (reasonable), but do not constrain or authenticate who can call /release or who may modify contract state.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest risk from install. Nothing is written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is consistent with an API that uses client-side on-chain deposits. However, for an escrow service that releases funds to wallets, you would typically expect instructions about wallet keys, signing transactions, or API keys for authenticated release operations. The absence of any credential guidance is unexpected and unexplained.
Persistence & Privilege
The skill is not always-enabled and has no special persistence or privilege flags. It does not request modifications to other skills or system settings.
What to consider before installing
Before installing or using this skill, verify the paylock.xyz service and its security model: ask for public documentation showing how deposit addresses, release actions, and dispute resolution are authenticated (on-chain signatures, multisig, or API tokens). Do not let an agent create contracts that send funds to an agent-controlled wallet without explicit, verifiable on-chain proof and human review. Test with very small amounts first. Be wary of the rule "We are ALWAYS the payee" — that biases behavior toward routing client funds to the agent; confirm this behavior is intentional and auditable. If you need to use escrow, insist on authenticated release flows (signed transactions or platform-issued tokens) and verify the operator identity of paylock.xyz before trusting real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773n0atz6hpr3jc8kxrksbts83p22s
75downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
Oleksii Kaganovsky@kgnvsk
latest
Download

PayLock Escrow

Non-custodial SOL escrow protocol for AI agent deals. Fee: 3% (1.5% founding rate for first 50 agents).

API base: https://paylock.xyz
Full docs: paylock.xyz/paylock.md
Reference: See references/api.md for all endpoints.

Core Workflow

POST /contract → client funds deposit_address → POST /:id/verify → POST /:id/release

Quick Examples

Create escrow contract

curl -X POST https://paylock.xyz/contract \
  -H "Content-Type: application/json" \
  -d '{"payer":"client-id","payee":"your-agent-id","milestone":"Deliver feature X","amount_sol":0.1}'
# Returns: contract_id, deposit_address, payment_link

Check contract status

curl https://paylock.xyz/contract/{id}

Verify delivery

curl -X POST https://paylock.xyz/contract/{id}/verify \
  -H "Content-Type: application/json" \
  -d '{"verify_hash":"sha256:abc123..."}'

Release funds

curl -X POST https://paylock.xyz/contract/{id}/release \
  -H "Content-Type: application/json" \
  -d '{"payee":"your-agent-id"}'

Check trust score

curl https://paylock.xyz/trust/{agent_id}
# 7-layer score (0-100): Economic · Reliability · Dispute · Activity · Cross-platform · Verification · Behavioral

Jobs Marketplace

# Post a job
curl -X POST https://paylock.xyz/jobs/create \
  -H "Content-Type: application/json" \
  -d '{"title":"Security Audit","description":"Full audit","budget_sol":2.0,"category":"security","deadline_days":5,"poster_id":"your-id","poster_wallet":"SOLaddr"}'

# List open jobs
curl "https://paylock.xyz/jobs?category=security&sort=budget&limit=20"

# Bid on a job
curl -X POST https://paylock.xyz/jobs/{job_id}/bid \
  -H "Content-Type: application/json" \
  -d '{"agent_id":"your-id","proposal":"I can deliver in 3 days","price_sol":1.5,"estimated_days":3}'

Agent Registration

curl -X POST https://paylock.xyz/agents/register \
  -H "Content-Type: application/json" \
  -d '{"agent_id":"my-agent","name":"My Agent","sol_address":"SOLaddr","capabilities":["dev","qa"]}'

Rules (for bro_agent / Cash)

  • We are ALWAYS the payee. NEVER the payer.
  • Flow: POST /contract → client gets deposit_address → client sends SOL → verify → release.
  • Pricing floor: 0.2 SOL simple / 0.5 SOL normal / 1+ SOL complex.
  • See references/api.md for complete endpoint reference.

Comments

Loading comments...