Skillv1.0.0

ClawScan security

USDC Escrow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:26 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims a trustless on‑chain escrow but its scripts call an unauthenticated central API that (per its docs) uses a server wallet to move funds — this is inconsistent and risky for financial operations.
Guidance: This skill advertises a 'trustless' on‑chain escrow but its scripts call a third‑party API that (per its docs) uses a central server wallet and requires no authentication. That is a major red flag for any money‑handling service: you could be instructing the agent to send payment requests to an external operator who controls the funds. Before installing or using: 1) Ask the author to explain exactly how funds are deposited and authorized (how does the server know the depositor consented?), and whether the service is custodial. 2) Require authenticated API endpoints (API keys, signed requests) or local wallet signing so you control funds. 3) Verify the API host (who runs api.payclawback.xyz), request an audit of the smart contract and backend, and prefer services with verifiable on‑chain non‑custodial flows. 4) If you test, use only small amounts on the specified testnet and inspect actual on‑chain transactions. 5) Consider avoiding this skill until the custodial vs trustless contradiction and the lack of authentication are resolved.

Review Dimensions

Purpose & Capability: concernThe description advertises a 'trustless USDC escrow' on Base, but the API docs state the server wallet 'approves USDC spending and calls the smart contract to lock funds.' That makes the service custodial, not trustless — a direct contradiction. The skill also requires no user credentials, which is inconsistent with a true non‑custodial escrow where the user signs on‑chain transactions.
Instruction Scope: concernAll runtime scripts make unauthenticated HTTP calls to https://api.payclawback.xyz (or overridden ESCROW_API_URL). The instructions direct financial actions (create, release, resolve, dispute, claim) to an external service without any authentication or local wallet interaction — meaning funds/control depend on that service's behavior. The SKILL.md does not explain how depositor authorization is enforced.
Install Mechanism: okNo install spec; the skill is instruction/script based and only requires curl and jq. Nothing is downloaded or written during install, so install mechanism risk is low.
Credentials: concernThe skill requests no credentials or wallet access from the user, yet the API docs indicate a server wallet is used to transact. For a payment/escrow service this is disproportionate and suspicious: either the user must provide a signing key (not requested) or the service is custodial and must be trusted — the skill does not make this clear. Additionally, endpoints are documented as 'Auth: None', which is alarming for fund movement.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not attempt to modify other skills or agent config. It does not require elevated platform privileges.