escrow-agent

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] This skill's stated purpose (escrow for agent-to-agent payments) aligns with the capabilities described. There is no explicit malicious code in the provided documentation text. However, there are multiple supply-chain and privacy risks: use of npx to run latest package (remote code execution risk), encouragement to pass raw private keys to processes launched via npx, a centralized indexer/API and dashboard of unspecified behavior, and an AI arbitrator whose verification and data handling are not detailed. These factors make the package SUSPICIOUS for production use with real funds until (1) the code is audited, (2) the data flows to the indexer/arbitrator are documented and minimized, and (3) use of npx for runtime execution is replaced by pinned releases or local installs. Do not run the MCP npx command or place live/private keys into env for this package unless you trust the package source and have audited the code. Summary: likely legitimate purpose but operationally risky — treat as suspicious and require code review/audit before using with significant funds. LLM verification: No direct malicious code is present in this SKILL.md fragment. The design and requested capabilities are broadly consistent with an escrow SDK: private keys and RPC endpoints are necessary to sign on-chain transactions. However, there are notable supply-chain and operational risks: unpinned package installs, example code that encourages raw private-key usage, and references to third-party hosted URLs and an 'MCP' server that could, if used, expose sensitive data. Because those factors increase t