ClawHub

USDC Escrow

Security checks across malware telemetry and agentic risk

Overview

This is a coherent USDC escrow wrapper, but it gives agents direct fund-moving escrow controls through an unauthenticated centralized API with weak safety guardrails.

Install only if you trust the operator of api.payclawback.xyz and are comfortable with agent-accessible escrow actions. Treat every create, release, dispute, resolve, and claim-expired command as a real payment operation; require explicit human approval, verify escrow IDs, recipients, amounts, network, and contract details, and avoid confidential descriptions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes shell-script execution paths (`./scripts/*.sh`) and requires command-line tools (`curl`, `jq`), but it does not declare corresponding permissions or clearly scope what execution is allowed. In an agent environment, this can lead to under-reviewed command execution and network access to the escrow backend, increasing the chance of unintended external actions or hidden capability abuse.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation explicitly states sensitive state-changing endpoints use 'Auth: None' while also claiming that only specific parties may invoke them. If the API truly lacks authentication/authorization, any caller could trigger release, dispute, resolution, or expired-claim actions and cause unauthorized on-chain fund movement; if the docs are wrong, the skill still misleads agents into unsafe usage assumptions.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The manifest says the skill supports simple create/release/dispute commands, but the docs also expose dispute resolution and expired-fund reclamation. This capability mismatch can cause downstream agents or users to invoke higher-risk operations they did not consent to, especially because these actions can redirect or reclaim funds.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script resolves escrow disputes by sending an off-chain POST request to a centralized API, which contradicts the stated 'trustless' escrow model. In a payment escrow context, this is security-relevant because whoever controls the API or its authentication path can unilaterally decide fund outcomes, creating a central point of failure and a misleading trust assumption for users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs agents to create, release, dispute, and resolve escrow actions involving USDC without prominent warnings that these operations affect real funds and may be irreversible once submitted on-chain. In this context, omission is especially dangerous because the skill is explicitly for financial transfers, so an agent or user may execute destructive payment actions without adequate consent or review.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The release action can irreversibly move escrowed USDC on-chain, yet the docs provide no warning about finality or user confirmation expectations. In an agent context, missing warnings increase the chance of accidental or automatic execution of destructive payment actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The dispute resolution endpoint can send funds to either party or refund the depositor, but the docs omit a strong warning that it determines the final allocation of escrowed assets. Without that caution, an agent may treat it like a routine status update rather than a high-impact adjudication action.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Claiming an expired escrow reclaims locked funds after the deadline, which changes asset custody and may be irreversible on-chain. Omitting a warning makes accidental execution more likely in automated agent workflows that act on stale or misunderstood escrow states.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs a state-changing POST request that claims funds from an expired escrow immediately when invoked, with no confirmation prompt, dry-run mode, or clear warning to the user. In the context of a financial escrow skill, this increases the chance of accidental or unintended fund actions if a user mistypes an escrow ID, scripts this call incorrectly, or invokes it without understanding the consequence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script issues a state-changing POST request to open a dispute with no user-facing confirmation, dry-run mode, or summary of what action will occur. In the context of a payment escrow skill, triggering disputes changes transaction state and could cause operational disruption, accidental fund freezes, or unnecessary escalation if the script is invoked with the wrong escrow ID or by automation.

Missing User Warnings

High
Confidence
92% confidence
Finding
This command performs an irreversible escrow resolution action immediately, with no confirmation prompt, dry-run mode, or summary of who will receive funds. In a financial workflow, a mistyped escrow ID or incorrect boolean can release or refund funds to the wrong party, causing direct asset loss through operator error or unsafe automation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal