Sardis Balance
ReviewAudited by ClawScan on May 1, 2026.
Overview
Sardis Balance appears to be a disclosed read-only wallet analytics skill, but it needs a Sardis API key that can expose sensitive wallet balances and transaction history.
Before installing, make sure the Sardis API key is read-only and scoped to wallets this agent is allowed to inspect. Do not treat the skill as risk-free just because it cannot execute payments; balances and transaction history are still sensitive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to retrieve balances, budgets, spending summaries, and transaction history for all wallets authorized by the key.
The skill needs a Sardis bearer API key and states it can query any wallet the key can access; this is expected for wallet analytics, but it is broad read access to financial account data.
requires:\n env:\n - SARDIS_API_KEY ... Note: No WALLET_ID required - can query any wallet you have access to.
Use the least-privileged read-only Sardis key available, limit which agents can use it, and rotate the key if it may have been exposed.
A user might think there is no meaningful risk because the skill cannot spend funds, even though it can still reveal sensitive financial activity.
The read-only framing matches the visible GET-based examples, but 'safe for unrestricted use' may understate the confidentiality risk of exposing wallet balances and transaction history.
**READ-ONLY**: This skill cannot execute payments or modify wallet state. Safe for unrestricted use.
Treat read-only as meaning no payment execution, not as privacy-risk-free; only allow use where the wallet data can be safely viewed.
An installer that acts on this metadata could fetch a package that is not needed by the documented commands.
The visible workflows use curl and jq and the supplied install spec says no install spec, so this unpinned npm package reference appears unnecessary or inactive; if an installer honored it, it would introduce an external dependency.
install:\n npm:\n - "@sardis/sdk"
Confirm whether the npm dependency is actually installed; if it is needed, prefer a pinned version and clear provenance, otherwise remove the unused install metadata.