Sign-in with Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: siwa Version: 0.0.4 The skill is classified as suspicious due to the inherent risks associated with its core functionality and specific instructions, despite a strong stated security model. Key indicators include instructions in `CLAUDE.md` and `keyring-proxy/skill.md` to run a Docker container (`ghcr.io/builders-garden/siwa-keyring-proxy`) for key management, which is a powerful command that could be risky if the image were compromised. Additionally, `private-key/skill.md` explicitly allows using a raw private key from an environment variable, which, while accompanied by clear security warnings and recommendations for safer alternatives, represents a less secure option that could lead to vulnerabilities if mishandled by the agent or user. The skill's purpose of managing cryptographic keys and performing on-chain transactions is legitimate, and its documentation (`references/security-model.md`) demonstrates a proactive approach to security, but the high-risk capabilities prevent a 'benign' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misconfigured service could present an unexpected payment request, and the agent may be guided to authorize payment without the user reviewing the cost or recipient.
This describes an agent-side flow that can sign and submit a payment based on a server-provided 402 response, choosing the first option, without specifying user approval, amount limits, asset restrictions, or payee validation.
When an API requires payment, it returns HTTP 402... The agent decodes the payment options, constructs a signed payment, and retries... const option = accepts[0]; ... "Payment-Signature": encodeX402Header(payload)
Require explicit user approval for each payment, enforce maximum spend limits, validate amount/asset/payee/resource, and avoid automatic retries with payment signatures unless the user has pre-authorized a policy.
If the private key or signing environment is compromised, an attacker could sign messages or transactions as the agent wallet.
The skill supports using a raw wallet private key for signing. That is purpose-aligned for SIWA authentication, but it grants high-impact authority over the wallet.
const account = privateKeyToAccount(process.env.PRIVATE_KEY as `0x${string}`); ... PRIVATE_KEY=0x...your-private-keyPrefer a low-value dedicated wallet, keyring proxy, hardware/managed wallet, or vault-backed secret storage; never reuse a wallet that holds significant funds or broad account authority.
Users must trust the external SDK/container that may handle signing operations or private-key custody.
The documented keyring proxy depends on an external container image and the main docs also install an external npm SDK. This is expected for the integration, but the artifacts do not pin a digest or include the external code for review.
docker run -p 3100:3100 ... ghcr.io/builders-garden/siwa-keyring-proxy
Verify package and image provenance, pin versions or image digests, review the external code where possible, and avoid supplying production keys until the deployment is trusted.