Back to skill
Skillv4.2.1
ClawScan security
Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 11:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested credentials, instructions, and behavior are consistent with a Sigil agent-wallet integration; nothing in the skill suggests misdirection or unrelated access requests, though the agent-signer private credential is sensitive and must be handled carefully.
- Guidance
- This skill appears to do what it claims, but it requires a sensitive signing credential (SIGIL_AGENT_SIGNER). Before installing: 1) Confirm sigil.codes and the listed GitHub repo are legitimate and match your expected provider. 2) Never place the agent private key in shared plaintext environment files—use a secrets manager (1Password CLI, Vault, AWS Secrets Manager) and set restrictive file permissions if stored locally. 3) Fund only the Sigil smart account and give the agent signer minimal gas, as the docs recommend. 4) Rotate agent signing credentials regularly and revoke immediately if you suspect compromise. 5) Limit the SIGIL_API_KEY scope and monitor audit logs for unexpected tx submissions. If you need higher assurance, ask the publisher for an explicit statement on how the agent signer is used (is it stored, transmitted, or only used for local signing via EIP-191/EIP-712?), and verify the on-chain contracts and Guardian service addresses before trusting significant funds.
Review Dimensions
- Purpose & Capability
- okName/description (agent wallet protection via Sigil) matches the declared env vars (API key, account address, agent signer) and the SKILL.md usage (authenticate, evaluate, execute UserOps). Requested artifacts are what an ERC-4337 guardian/co-signing integration would reasonably need.
- Instruction Scope
- okSKILL.md limits runtime actions to obtaining a JWT with the API key, evaluating/executing UserOps against api.sigil.codes, and local signing of UserOps. It does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints. It advises secure storage practices for credentials.
- Install Mechanism
- okNo install spec and no code files to execute are provided (instruction-only); this minimizes disk-write/install risk. package.json only documents env requirements. No remote downloads or extracts are present.
- Credentials
- noteThe three required env vars are proportional to the described purpose: SIGIL_API_KEY (API auth), SIGIL_ACCOUNT_ADDRESS (target smart account), SIGIL_AGENT_SIGNER (signing credential). Note: SIGIL_AGENT_SIGNER is effectively a private signing credential/EOA key; requiring it is reasonable for local UserOp signing but it is highly sensitive — storing it in env vars or plaintext is risky and the skill correctly recommends secrets manager usage and rotation.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent agent-level privileges or modify other skills. Autonomous model invocation is allowed by default but is not combined with other red flags here.