Is jakemeyer125-design/clawpay-escrow safe?

https://github.com/openclaw/skills/tree/main/skills/jakemeyer125-design/clawpay-escrow

65
CAUTION

ClawPay is a Solana escrow skill whose SKILL.md contains no direct prompt injection or hidden instructions, but whose design creates a severe supply-chain and financial-credential risk: it mandates installation of the unaudited 'clawpay' PyPI package, which receives the user's raw Solana private key at runtime and can make arbitrary network connections. The default 30-second verification window combined with agent-autonomous auto_release calls makes fraud trivially achievable in agent-to-agent payment scenarios. Clone behavior was clean (GitHub only), and canary file integrity passed, but the structural risks of private key exposure through an unverified package render this skill unsuitable for deployment without independent SDK audit.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

HIGH Mandatory installation of unverified PyPI package -35

The skill unconditionally instructs the agent to run 'pip3 install clawpay'. The clawpay package on PyPI is unverified, has no version pin, no hash requirement, and no audit trail. Any compromise of the package (malicious maintainer, typosquatting, account takeover) results in arbitrary code execution on the user's machine with full access to the private key and all connected services.

HIGH Private key files actively sought and loaded into untrusted SDK -30

The skill instructs the agent to search three hardcoded filesystem paths for Solana keypair files and then pass the deserialized private key directly to the unverified ClawPay SDK via Client(keypair). A malicious SDK could log, transmit, or reuse the private key without any indication to the user.

HIGH Solana private key search spans multiple filesystem locations -25

Before the user provides a path, the skill instructs the agent to probe ~/wallet.json, ~/.config/solana/id.json, and ~/projects/clawpay/program-keypair.json. This constitutes unsolicited filesystem traversal for high-value credentials beyond the declared SOLANA_KEYPAIR_PATH env var.

HIGH 30-second verification window enables automated fraud -25

The default verification_secs is 30 seconds. In an agent-to-agent payment scenario, a malicious seller agent can call confirm_delivery() immediately after the escrow is created, then the auto_release timer expires before a human buyer can intervene. This effectively bypasses the escrow protection entirely.

MEDIUM Canary credential files accessed during audit window -10

inotify and auditd recorded OPEN and ACCESS events against .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two separate timestamps. Timing and process context (sudo/PAM, repeated sshd motd loops) strongly suggest these are system-level accesses, not skill-driven. Canary integrity check confirms no exfiltration. Reported as medium due to ambiguity.

MEDIUM Real mainnet SOL transactions with no spending limit enforcement -20

The skill operates on Solana Mainnet by default and has no hard cap below the stated 10 SOL maximum per escrow. The skill says 'never assume an amount' but provides no mechanism to enforce this at the protocol level. A compromised or confused agent could initiate a 10 SOL transaction without adequate user confirmation.

MEDIUM Broad trigger conditions may intercept unrelated user requests -10

The description activates the skill on 'pay an agent', 'buy a service', 'check payment status', or 'view transaction history' — phrases common in general business contexts. An agent with this skill loaded could invoke ClawPay workflows when the user intended a different payment system.

LOW Multiple external URLs embedded in skill documentation -5

The Links and Verification sections reference claw-pay.com, pypi.org/project/clawpay/, and github.com/jakemeyer125-design/ClawPay-SDK. If an agent is instructed to fetch these URLs for additional context, it could be redirected to attacker-controlled content. The URLs themselves appear legitimate but are unverifiable without deeper SDK audit.

INFO No malicious files found in skill repository 0

The installed skill contains only SKILL.md and _meta.json. No executable scripts, git hooks, gitattributes smudge filters, gitmodules, or symlinks were found. The code execution risk is entirely from the runtime pip install instruction, not from files committed to the monorepo.