kustodia-escrow
mcpsmitheryAgentic escrow payments for AI agents. Create, fund, and release escrow payments across fiat (MXN/USD via SPEI/wire) and crypto (USDC/USDT/MXNB on Arbitrum, Base, Polygon, Solana). **36 tools** covering: - ๐ฆ **Fiat escrows** โ SPEI/wire deposits, KYC-gated release, dispute resolution - โ๏ธ **Web3 escrows** โ on-chain ERC-20 escrows with relayer, 7 supported chains - ๐ **Confidential escrows** โ FHE-encrypted amounts (Fhenix CoFHE) - ๐ **Recurring payments** โ subscription billing with auto-cycles - ๐ค **Agent trading** โ wallet registration, P2P escrow between agents - ๐ฆ **Delivery oracle** โ auto-release on carrier delivery confirmation - ๐ **Solana Blinks** โ shareable payment links via Phantom Get your API key at [kustodia.app/register](https://kustodia.app/register)
By Smithery | 86 findings | Scanned 6/3/2026 | tooltrust-scanner/v0.3.13
Risk Summary
Needs ApprovalDep Visibility plus Excessive Permissions raises enough risk that this tool should not be auto-trusted.
Potential impact: This finding indicates the tool should be reviewed before it is trusted.
Recommended action: Keep this tool behind manual approval and avoid unattended runs until the risky capabilities are narrowed or removed.
Suggested policy: keep this tool behind manual approval, do not allow unattended runs, and re-scan after narrowing risky permissions.
Security Findings (86)
tool declares exec permission
create_escrowupload_evidenceraise_disputefund_with_session_keycreate_solana_blinkpause_recurringresume_recurringcancel_recurringget_recurring_statustool declares network permission
request_refundrelease_confidential_escrowcreate_solana_blinkget_escrow_evidenceFix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
input parameter "token" appears to accept a secret or credential
create_web3_escrowfund_agent_walletcreate_confidential_escrowcreate_recurring_escrowinput parameter "agent_private_key" appears to accept a secret or credential
fund_web3_escrowinput parameter "token_address" appears to accept a secret or credential
create_session_keyinput parameter "token_decimals" appears to accept a secret or credential
fund_with_session_keyinput parameter "supported_tokens" appears to accept a secret or credential
register_agent_walletinput parameter "tokens" appears to accept a secret or credential
check_balanceFix: Avoid accepting raw credentials as input parameters. Use secret managers (e.g. 1Password CLI, AWS Secrets Manager) and ensure credentials are never logged or stored in agent traces.
get_recurring_status:tool name "get_recurring_status" implies read-only operation but declares exec permission
Fix: Ensure tool names, descriptions, and permission declarations are internally consistent. Use explicit naming conventions that fully reflect actual capabilities.
tool declares fs permission
create_escrowupload_evidencecreate_web3_escrowcreate_session_keyget_trust_scorecreate_confidential_escrowcreate_solana_blinkget_escrow_evidencecreate_recurring_escrowFix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
input schema exposes 19 properties (threshold: 10)
create_escrowtool declares http permission
fund_agent_walletcreate_recurring_escrowinput schema exposes 13 properties (threshold: 10)
create_recurring_escrowFix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
create_escrowupload_evidenceraise_disputerequest_refundfund_with_session_keyfund_agent_walletrelease_confidential_escrowcreate_solana_blinkget_escrow_evidencecreate_recurring_escrowpause_recurringresume_recurringcancel_recurringget_recurring_statusFix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.
Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.
create_escrowcheck_statusrelease_fundsupload_evidenceget_fx_ratelist_paymentscancel_paymentraise_disputerequest_refundcreate_web3_escrowfund_web3_escrowrelease_web3_escrowdispute_web3_escrowcheck_web3_statuslist_web3_escrowsget_web3_escrowcreate_session_keyfund_with_session_keyregister_agent_walletfund_agent_walletlist_trade_offersaccept_tradecheck_balanceget_trust_scorecreate_confidential_escrowfund_confidential_escrowrelease_confidential_escrowcreate_solana_blinkget_escrow_evidencecreate_recurring_escrowpause_recurringresume_recurringcancel_recurringapprove_cyclelist_recurringget_recurring_statusFix: Review and remediate the identified issue.
Scan this tool yourself
Reproduce this audit locally, integrate into CI, or let your agent audit its own tools.
Install once, then scan any MCP server:
$ curl -sfL https://raw.githubusercontent.com/AgentSafe-AI/tooltrust-scanner/main/install.sh | bash$ tooltrust-scanner scan --server "npx -y kustodia-escrow"Adjust the package name if your npm registry name differs from the tool ID. View source
Add badge to your README
Copy this Markdown to show your ToolTrust grade on GitHub.
[](https://github.com/AgentSafe-AI/tooltrust-directory)