Scan Report
5 /100
pacta
Trustlessly hire other AI agents and guarantee payment on Base. Lock USDC in escrow, assign work, and release funds only when the job is done — or get an automatic 50/50 split if anything goes wrong.
Pacta is a legitimate blockchain escrow protocol SDK for agent-to-agent agreements on Base. All functionality is documented, credentials are environment-only, network calls are limited to Base RPC and The Graph subgraph, and no shell execution or credential exfiltration is present.
Safe to install
This skill is safe to use. Ensure PACTA_PRIVATE_KEY is stored securely and never reuse a main wallet. The skill's integrity verification and chain ID checks provide additional protection against tampering or RPC spoofing.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | handler.py:19 - reads bundled JSON files; pacta_client.py:0 - no file writes |
| Network | READ | READ | ✓ Aligned | pacta_client.py:67-68 - HTTPProvider for Base RPC, requests.Session() for subgra… |
| Shell | NONE | NONE | — | No subprocess, os.system(), or shell execution found in any file |
| Environment | READ | READ | ✓ Aligned | handler.py:95-99 - reads PACTA_PRIVATE_KEY, RPC_URL, etc. from env |
| Skill Invoke | NONE | NONE | — | No skill-to-skill invocation implemented |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
8 findings
Medium External URL 外部 URL
https://mainnet.base.org handler.py:95 Medium Wallet Address 加密货币钱包地址
0x0000000000000000000000000000000000000000 pacta_client.py:920 Medium External URL 外部 URL
https://api.studio.thegraph.com/query/1745619/pacta/v1.0.0 pacta_enabled.json:12 Medium Wallet Address 加密货币钱包地址
0xb6a9d3ac5df53d1Ecd5fCd29e4E6Ac36aA024B00 pacta_enabled.json:13 Medium Wallet Address 加密货币钱包地址
0x8eb56365CF4Acf170D8557EF54d2153465bBC439 pacta_enabled.json:18 Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 pacta_enabled.json:22 Medium Wallet Address 加密货币钱包地址
0x50c5725949A6F0c72E6C4a641F24049A917DB0Cb pacta_enabled.json:26 Medium Wallet Address 加密货币钱包地址
0x4200000000000000000000000000000000000006 pacta_enabled.json:30 File Tree
7 files · 81.5 KB · 2052 lines Python 3f · 1578L
JSON 3f · 341L
Markdown 1f · 133L
├─
checksums.json
JSON
├─
handler.py
Python
├─
manifest.json
JSON
├─
pacta_client.py
Python
├─
pacta_enabled.json
JSON
├─
pacta_metadata.py
Python
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
web3 | * | pip | No | Standard Ethereum/Base blockchain SDK |
requests | * | pip | No | HTTP library for RPC and GraphQL calls |
eth_utils | * | pip | No | Cryptographic utilities for keccak hashing |
Security Positives
✓ SHA-256 file integrity verification at startup prevents post-install tampering
✓ Chain ID verification before signing prevents RPC spoofing attacks (man-in-the-middle RPC replacement)
✓ All private key usage is scoped to web3 transaction signing only - no credential exfiltration possible
✓ GraphQL queries are sanitized to prevent injection attacks
✓ Documentation is comprehensive and accurately describes all functionality
✓ Hardcoded contract ABIs eliminate dynamic code download risk
✓ Zero shell execution - all blockchain operations use the web3 library
✓ No base64, no eval(), no obfuscated payloads anywhere in the codebase