ClawAudit verdict
safelink
A production A2A (agent-to-agent) hiring and escrow skill using MPC wallet providers (Coinbase AgentKit / Privy) where private keys never enter app memory; the skill explicitly discloses all required env vars, notes that stress tests contain literal injection strings as test fixtures (not instructions), and all behavior matches the stated secure agent economy purpose.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (7)
Prompt injection — tries to override agent instructions
SKILL.md · frontmatter · Ignore all previous instructions
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://127.0.0.1
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
scripts/deploy-contracts.ts · prose · downgraded · curl -L https://foundry.paradigm.xyz | bash
Pipe to bash — executes piped content as shell commands
scripts/deploy-contracts.ts · prose · downgraded · | bash
References child_process — can spawn system processes
scripts/deploy-contracts.ts · prose · downgraded · child_process
Dynamic import() — loads module at runtime
src/security/replay.ts · prose · downgraded · import("
Popular HTTP library — network access
src/security/input-gate.ts · prose · downgraded · got
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
network_inpackage_install Is this flag fair?
Thanks — recorded.