Sardis — Payment OS for AI Agents
v1.1.0Payment OS for AI agents. Create MPC wallets, execute stablecoin payments with automatic policy enforcement, set spending rules in natural language, check ba...
⭐ 0· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (payment OS, wallets, policies, cards) align with the requested env var (SARDIS_API_KEY), required binary (curl), packaged code, and API endpoints. The package includes many payment-related subskills and a FastAPI-based local skill server consistent with the stated purpose.
Instruction Scope
SKILL.md contains straightforward curl-based instructions for wallet creation, payments, policy checks, etc., which stay within the payment domain. Notable issues: (1) inconsistent header examples (some examples use X-API-Key, others use Authorization: Bearer) which could cause confusion or incorrect usage; (2) examples show running a local FastAPI skill server and passing 'api_key' inside the request context — be careful not to log or expose keys when using the server. The instructions do not ask the agent to read unrelated local files or system credentials.
Install Mechanism
Install uses the 'uv' package kind (sardis-openclaw) and subskill SKILL.md examples reference installing @sardis/sdk via npm. There are no ad-hoc downloads from unknown URLs in the manifest. Installing npm packages or the upstream 'sardis' dependency introduces normal third-party package risk; this is expected for an SDK but should be reviewed. The install footprint and archive-extraction risk appear moderate and proportional to the skill's purpose.
Credentials
Primary credential is SARDIS_API_KEY which is appropriate for a payment integration. A few subskills (e.g., tempo-pay) mention additional env vars like SARDIS_WALLET_ID and SARDIS_TEMPO_RPC_URL — these are plausible for specialized features but mean additional secrets/config may be required for some functionality. No unrelated cloud or system credentials are requested.
Persistence & Privilege
always is false and the skill does not request system-wide config changes or other skills' credentials. The skill can be invoked autonomously (default) — normal for skills — but because it can execute real payments, you should consider restricting autonomous payment execution or requiring human approval when deploying.
Assessment
This package appears to be what it says: a Sardis payment integration that needs a Sardis API key. Before installing: (1) Verify the upstream packages (pip 'sardis' and the GitHub repo) to ensure you're comfortable with third-party code; (2) Confirm what permissions the SARDIS_API_KEY grants in your Sardis account (limit it to test wallets or read-only if possible); (3) Prefer using the read-only subskill (sardis-balance) when exploring; (4) Resolve the header inconsistency (X-API-Key vs Authorization: Bearer) in your deployment to avoid accidental credential leakage; (5) If you allow autonomous agent invocation, require human approval or per-transaction confirmation for any real-money payments and enable the guardrails/kill-switch features; (6) Rotate keys after testing and monitor payment logs/alerts closely.Like a lobster shell, security has layers — review code before you run it.
AI-agentvk975sc3b03cx3nz9z1gxvtecwx83m9cbUSDCvk975sc3b03cx3nz9z1gxvtecwx83m9cbfinancevk975sc3b03cx3nz9z1gxvtecwx83m9cblatestvk975sc3b03cx3nz9z1gxvtecwx83m9cbpaymentsvk975sc3b03cx3nz9z1gxvtecwx83m9cbwalletvk975sc3b03cx3nz9z1gxvtecwx83m9cb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💳 Clawdis
Binscurl
EnvSARDIS_API_KEY
Primary envSARDIS_API_KEY
Install
uv
uv tool install sardis-openclaw