Sign-in with Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with SIWA authentication, but it also documents wallet/payment signing flows that could spend funds without clear per-payment approval or limits.
Use this only with a dedicated low-value agent wallet and reviewed provider credentials. Before enabling payments or onchain registration, require user confirmation, verify contract addresses and payees, set spending limits, and pin/review the external SDK and keyring proxy deployment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misconfigured service could present an unexpected payment request, and the agent may be guided to authorize payment without the user reviewing the cost or recipient.
This describes an agent-side flow that can sign and submit a payment based on a server-provided 402 response, choosing the first option, without specifying user approval, amount limits, asset restrictions, or payee validation.
When an API requires payment, it returns HTTP 402... The agent decodes the payment options, constructs a signed payment, and retries... const option = accepts[0]; ... "Payment-Signature": encodeX402Header(payload)
Require explicit user approval for each payment, enforce maximum spend limits, validate amount/asset/payee/resource, and avoid automatic retries with payment signatures unless the user has pre-authorized a policy.
If the private key or signing environment is compromised, an attacker could sign messages or transactions as the agent wallet.
The skill supports using a raw wallet private key for signing. That is purpose-aligned for SIWA authentication, but it grants high-impact authority over the wallet.
const account = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`); ... PRIVATE_KEY=0x...your-private-keyPrefer a low-value dedicated wallet, keyring proxy, hardware/managed wallet, or vault-backed secret storage; never reuse a wallet that holds significant funds or broad account authority.
Users must trust the external SDK/container that may handle signing operations or private-key custody.
The documented keyring proxy depends on an external container image and the main docs also install an external npm SDK. This is expected for the integration, but the artifacts do not pin a digest or include the external code for review.
docker run -p 3100:3100 ... ghcr.io/builders-garden/siwa-keyring-proxy
Verify package and image provenance, pin versions or image digests, review the external code where possible, and avoid supplying production keys until the deployment is trusted.