Is eijiac24/haggle-protocol safe?

scripts/setup.sh installs @haggle-protocol/[email protected] globally via npm without --ignore-scripts, no lockfile pinning, and no checksum verification. npm postinstall scripts in the package have full access to the process environment including HAGGLE_PRIVATE_KEY, and can execute arbitrary shell commands. This is not a vetted, integrity-pinned install.

The skill explicitly discloses that smart contracts have NOT been formally audited. The Base Mainnet deployment handles real USDC (6-decimal ERC-20). Exploitable bugs in the escrow or settlement logic could result in permanent loss of deposited funds. The 'permissionless expiry' and 'owner pausable' mechanisms create additional trust assumptions.

The skill requires HAGGLE_PRIVATE_KEY to be set in the process environment. This EVM private key signs mainnet transactions and controls real funds. Environment variables are visible to all processes running in the same session, any co-installed skill with env read access, and npm postinstall scripts executed during setup. The key is never logged by this skill's own code, but the exposure surface from requiring it at all is significant.

The protocol owner has unilateral authority to pause the smart contract. If paused while escrow is deposited mid-negotiation, funds could be temporarily or permanently inaccessible. This creates a trust dependency on a third-party actor with no on-chain governance or multi-sig requirement disclosed.

The skill sends signed EVM/Solana transactions to RPC endpoints that are not under the user's control. While this is functionally necessary for blockchain interaction, it means the external RPC operators can observe all transaction patterns, wallet addresses, and timing of the agent's financial activity. The disclosed endpoints include one third-party aggregator (monad-testnet.drpc.org).

The skill documentation instructs running 'npx @haggle-protocol/[email protected]' directly, which downloads and executes the package at runtime without caching validation. npx resolves to whatever is currently published at that version tag. If the publisher's npm account were compromised and 0.2.0 re-published with malicious code, users running npx would execute the malicious version.

The skill's MCP tools (create_negotiation, submit_offer, accept_offer) allow an agent to commit and transfer real USDC without per-transaction human confirmation. An adversarially crafted negotiation invitation from another agent could manipulate the local agent into accepting unfavorable settlement terms. The 'numeric offers only' claim reduces but does not eliminate prompt injection risk at the negotiation content layer.

The npm org @haggle-protocol is not a widely known or established publisher. No npm provenance attestation, no Sigstore signing, and no community audit trail was observable. The @haggle-protocol/[email protected] package reputation cannot be independently confirmed from the audit evidence.

The skill explicitly documents all external endpoints, the data sent to each, the credentials it requires, and the security model. The 'External Endpoints' and 'Security & Privacy' sections provide actionable transparency. This is a positive security practice that differentiates this skill from obfuscated ones.