ClawHub

AGIRAILS Escrow Payments

Security checks across malware telemetry and agentic risk

Overview

The skill is openly a real-money blockchain payments skill, but several examples default to mainnet and credential auto-detection in ways users should review before installing.

Install only if you intend to give an agent payment authority. Start in mock or testnet, use a dedicated low-balance wallet, prefer encrypted keystores over raw private keys, verify every provider address and spending limit, and avoid storing sensitive deliverables in public IPFS or broad logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file content is materially out of scope for a skill described as a trustless payment protocol, instead providing generic validation logic for leads, content, translations, and disputes. This kind of scope drift is dangerous because it can cause downstream agents or operators to apply unrelated business-validation and dispute heuristics in a payments context, leading to incorrect handling of funds, claims, or user data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill includes broad natural-language activation examples such as payment/setup phrases that are close to ordinary user requests. In agent systems, underspecified trigger phrasing can cause the skill to activate on conversational text that merely discusses payments, resulting in unintended installs, wallet initialization, or transaction-related actions.

Vague Triggers

Low
Confidence
78% confidence
Finding
The activation instruction 'Read SKILL.md and set up AGIRAILS payments for my agent' is broad and lacks safety boundaries around installation, wallet creation, file writes, and network usage. This can lead an agent to begin multi-step setup work without first checking whether the user intended package installation, secret usage, or blockchain interaction.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The repeated example 'Pay 10 USDC to 0xProvider for translation service' is a very generic utterance that may appear in normal conversation, testing, or documentation. In the context of a payment skill, such a phrase can be misinterpreted as an instruction to perform real transaction setup or payment actions, increasing the risk of unintended financial operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example instructs users to run a mainnet payment workflow that auto-loads signing credentials from a local keystore or ACTP_PRIVATE_KEY, but it provides no warning about secret handling, account scoping, or the fact that these credentials can authorize real on-chain transactions. In an agent skill context, this is dangerous because examples are often copied verbatim into automation, increasing the chance of unintended key exposure or use of privileged wallets for live funds movement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sample is configured for mainnet and demonstrates creating transactions, locking escrow, transitioning states, and releasing funds, all of which are irreversible or financially sensitive actions, yet it lacks an upfront warning that this code moves real USDC. In an agent payments skill, this context makes the issue more dangerous because users may treat the example as a ready-to-run template and accidentally execute live payment flows without understanding financial consequences or adding operator approval gates.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example uses mode: 'mainnet' and demonstrates a real pay flow that locks escrow without an explicit warning that running the snippet can move actual USDC on Base. In agent-oriented tooling, users may copy-paste examples verbatim, so documentation that defaults to live funds materially increases the risk of unintended payments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Standard API example releases escrow as soon as tx.state === 'DELIVERED', with only a placeholder satisfied check and no caution that release is financially significant and may be irreversible once executed on-chain. This can normalize unsafe integration patterns where agents or developers auto-release funds based on a single state value without verifying delivery or dispute conditions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises automatic private-key discovery from .actp/keystore.json or ACTP_PRIVATE_KEY without warning about secret handling, wallet selection, or accidental use of a funded production key. In agent and automation contexts, implicit credential loading can cause an operator to unknowingly sign mainnet transactions from a sensitive wallet.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quickstart encourages users to configure a wallet and immediately issue payment commands such as purchasing leads, but it does not prominently warn that these actions can move real funds and may be irreversible onchain. Although there is a brief 'testnet first' note, the overall presentation emphasizes speed and ease of autonomous payments, which increases the risk of accidental real-money transactions by operators who are following setup instructions verbatim.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly tells providers to 'log everything' and persist job and earnings data in local files, but provides no guidance on data minimization, redaction, retention, or access controls. In a payments and service-delivery context, those logs can easily accumulate sensitive requester information, transaction metadata, deliverables, dispute details, or wallet-linked business data that could be exposed or misused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly directs providers to upload service results to external storage such as IPFS, Arweave, S3, or a personal server, but it does not warn that deliverables may contain sensitive user data. In a payments-and-service agent context, operators may copy this pattern directly and inadvertently disclose prompts, outputs, or personal/business information to third-party storage systems or public content-addressed networks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The template demonstrates automatic escrow linking and payment release paths with minimal user-facing safety prompts or confirmation gates. In a payments skill, this can normalize unsafe integration patterns where developers lock funds or release escrow based on weak validation, increasing the chance of accidental fund loss or payment for low-quality or spoofed deliverables.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instruction to persistently track all jobs in memory encourages blanket collection of request data without boundaries, which can lead to over-collection of personal, commercial, or payment-related information. Because this is a merchant/payment skill, operators may store full transaction histories and associated service payloads indefinitely, increasing privacy, breach, and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal