Security Audit

usdc-escrow

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

usdc-escrow received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 10 findings: 8 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unescaped user input in URL path leads to shell command injection, Unquoted user input in JSON payload allows shell command injection, Unescaped `--depositor` argument in URL query leads to shell command injection.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

8 findings

Filesystem Write

5 findings

Shell Execution

10 findings

Dynamic Code

9 findings

Security Findings10

Severity	Finding	Layer	Location
CRITICAL	Unescaped user input in URL path leads to shell command injection The `ESCROW_ID` variable, taken directly from user input (`$1`), is interpolated into the `curl` command's URL path without proper sanitization. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(command)`) into `ESCROW_ID` to execute arbitrary commands on the host system. Implement robust input validation for `ESCROW_ID` to ensure it only contains expected characters (e.g., alphanumeric). Alternatively, properly URL-encode the path segment and ensure shell metacharacters are escaped before `curl` execution. A safer approach is to validate the input against a regex for the expected ID format.	LLM	scripts/claim-expired.sh:14
CRITICAL	Unescaped user input in URL path leads to shell command injection The `ESCROW_ID` variable, taken directly from user input (`$1`), is interpolated into the `curl` command's URL path without proper sanitization. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(command)`) into `ESCROW_ID` to execute arbitrary commands on the host system. Implement robust input validation for `ESCROW_ID` to ensure it only contains expected characters (e.g., alphanumeric). Alternatively, properly URL-encode the path segment and ensure shell metacharacters are escaped before `curl` execution. A safer approach is to validate the input against a regex for the expected ID format.	LLM	scripts/dispute-escrow.sh:14
CRITICAL	Unescaped user input in URL path leads to shell command injection The `ESCROW_ID` variable, taken directly from user input (`$1`), is interpolated into the `curl` command's URL path without proper sanitization. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(command)`) into `ESCROW_ID` to execute arbitrary commands on the host system. Implement robust input validation for `ESCROW_ID` to ensure it only contains expected characters (e.g., alphanumeric). Alternatively, properly URL-encode the path segment and ensure shell metacharacters are escaped before `curl` execution. A safer approach is to validate the input against a regex for the expected ID format.	LLM	scripts/get-escrow.sh:14
CRITICAL	Unescaped user input in URL path leads to shell command injection The `ESCROW_ID` variable, taken directly from user input (`$1`), is interpolated into the `curl` command's URL path without proper sanitization. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(command)`) into `ESCROW_ID` to execute arbitrary commands on the host system. Implement robust input validation for `ESCROW_ID` to ensure it only contains expected characters (e.g., alphanumeric). Alternatively, properly URL-encode the path segment and ensure shell metacharacters are escaped before `curl` execution. A safer approach is to validate the input against a regex for the expected ID format.	LLM	scripts/release-escrow.sh:14
CRITICAL	Unescaped user input in URL path leads to shell command injection The `ESCROW_ID` variable, taken directly from user input (`$1`), is interpolated into the `curl` command's URL path without proper sanitization. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(command)`) into `ESCROW_ID` to execute arbitrary commands on the host system. Implement robust input validation for `ESCROW_ID` to ensure it only contains expected characters (e.g., alphanumeric). Alternatively, properly URL-encode the path segment and ensure shell metacharacters are escaped before `curl` execution. A safer approach is to validate the input against a regex for the expected ID format.	LLM	scripts/resolve-dispute.sh:17
CRITICAL	Unquoted user input in JSON payload allows shell command injection In `scripts/create-escrow.sh`, `AMOUNT` and `DEADLINE_HOURS` are directly inserted into the JSON payload without quotes. This makes them vulnerable to shell command injection if an attacker provides input like `10; $(evil_command)` or JSON injection like `10, "evil": true`. Similarly, `RELEASE_TO_BENEFICIARY` in `scripts/resolve-dispute.sh` is unquoted, allowing similar injection attacks. Validate `AMOUNT` and `DEADLINE_HOURS` as numeric inputs and `RELEASE_TO_BENEFICIARY` as a boolean (`true` or `false`). If they must be treated as strings, they should be properly JSON-escaped and quoted. Using `jq -n --arg key "$value" '{$key}'` to construct JSON payloads is a safer approach.	LLM	scripts/create-escrow.sh:20
CRITICAL	Unquoted user input in JSON payload allows shell command injection In `scripts/create-escrow.sh`, `AMOUNT` and `DEADLINE_HOURS` are directly inserted into the JSON payload without quotes. This makes them vulnerable to shell command injection if an attacker provides input like `10; $(evil_command)` or JSON injection like `10, "evil": true`. Similarly, `RELEASE_TO_BENEFICIARY` in `scripts/resolve-dispute.sh` is unquoted, allowing similar injection attacks. Validate `AMOUNT` and `DEADLINE_HOURS` as numeric inputs and `RELEASE_TO_BENEFICIARY` as a boolean (`true` or `false`). If they must be treated as strings, they should be properly JSON-escaped and quoted. Using `jq -n --arg key "$value" '{$key}'` to construct JSON payloads is a safer approach.	LLM	scripts/resolve-dispute.sh:19
CRITICAL	Unescaped `--depositor` argument in URL query leads to shell command injection The value provided for the `--depositor` argument in `scripts/list-escrows.sh` is directly appended to the URL query string without proper URL encoding or shell escaping. An attacker can inject shell metacharacters (e.g., `&`, `;`, `$(command)`) to execute arbitrary commands. Properly URL-encode the depositor address before appending it to the query string. For example, use `jq -sRr @uri` or a similar tool to encode the string.	LLM	scripts/list-escrows.sh:27
HIGH	Unescaped user input in JSON string fields allows JSON/shell injection In `scripts/create-escrow.sh`, `BENEFICIARY` and `DESCRIPTION` are interpolated into JSON string fields. If these inputs contain unescaped double quotes (`"`) or backslashes (`\`), an attacker can break out of the JSON string. This can lead to JSON injection (altering the request's structure or data) or, if crafted carefully, shell command injection by inserting shell metacharacters after breaking out of the JSON string. Properly JSON-escape `BENEFICIARY` and `DESCRIPTION` before including them in the JSON payload. Using `jq` to construct the JSON is a safer approach, e.g., `jq -n --arg beneficiary "$BENEFICIARY" --arg description "$DESCRIPTION" '{beneficiary: $beneficiary, description: $description}'`.	LLM	scripts/create-escrow.sh:18
HIGH	API endpoint configurable via environment variable, enabling data exfiltration The `API_URL` for all `curl` commands is derived from the `ESCROW_API_URL` environment variable, with a default fallback. An attacker who can control the environment where the skill runs can set `ESCROW_API_URL` to a malicious server. This would redirect all API calls, potentially including sensitive arguments like `beneficiary_address`, `amount`, `description`, and `escrow_id`, to an attacker-controlled endpoint, leading to data exfiltration or manipulation of skill actions. If the API URL must be configurable, implement strict validation (e.g., a whitelist of allowed domains) for `ESCROW_API_URL`. For agent skills, it's often safer to hardcode trusted endpoints or use a secure configuration management system that prevents easy runtime modification by untrusted sources.	LLM	scripts/claim-expired.sh:4

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5fe8c841dab2a932.svg)](https://skillshield.io/report/5fe8c841dab2a932)