Sardis Openclaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a purpose-built Sardis payments skill, but it can give an agent real payment, card-management, and wallet-control authority, so it needs careful review and strict limits.
Install only if you are comfortable giving an agent limited financial authority. Use a separate Sardis wallet, low spending limits, recipient/vendor allowlists, restricted API keys, explicit human approval for payments and card reveal, and close monitoring/audit alerts before using this with real funds.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent mistake, prompt manipulation, or overly broad task could send real funds if the Sardis API key and policy allow it.
The main skill is available for model invocation and documents direct payment execution through the Sardis API; the artifacts rely on external policy/approval behavior but do not define an explicit human confirmation gate or bounded recipient/amount scope.
disable-model-invocation: false ... curl -X POST https://api.sardis.sh/v2/payments
Use a dedicated low-limit wallet, enforce Sardis spending policies, and require explicit human confirmation for every payment before allowing the agent to call the payment endpoint.
A broadly scoped or mishandled API key could let the agent perform more financial/account operations than the user intended.
The skill requires a bearer API key and wallet identifier for financial actions, but the artifacts do not describe the API key's least-privilege scope, allowed operations, revocation behavior, or wallet isolation.
requires: env: SARDIS_API_KEY, SARDIS_WALLET_ID ... Authorization: Bearer $SARDIS_API_KEY
Create a restricted Sardis API key for this skill only, limit it to a specific wallet and operation set, rotate it regularly, and avoid using keys tied to high-value wallets.
Full card details could enter the agent context, terminal output, or logs and be reused or exposed accidentally.
The card-management skill can retrieve full virtual card credentials, including CVV. The warning is disclosed, but no technical redaction or output-control mechanism is described in the artifact.
Retrieve Card Number (Sensitive) ... /cards/{card_id}/reveal ... number ... cvv ... WARNING: Never log or display this responseOnly allow card reveal on explicit user request, use short-lived low-limit cards, disable logging/redact tool output for card data, and prefer masked card details whenever possible.
Incorrect or over-eager use could interrupt legitimate payments or leave a wallet disabled until recovery steps are completed.
The guardrails skill intentionally exposes emergency controls that can halt all wallet transactions. This is purpose-aligned, but it is a high-impact account-state change.
Kill Switch Control: Emergency stop all transactions wallet-wide ... /guardrails/kill-switch/activate
Restrict kill-switch activation to clearly defined emergency workflows and require confirmation or operator review before activation/deactivation.
Users may have less assurance that the published package and documentation came from the expected Sardis publisher.
The artifact set does not establish source provenance. That is not malicious by itself, but provenance matters more for a skill that asks for payment credentials.
Source: unknown
Verify the publisher, homepage, repository, and any SDK/package installs before setting SARDIS_API_KEY or using the skill with real funds.