Skillv1.0.0

ClawScan security

Sardis Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 8, 2026, 12:24 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (policy-controlled payments) lines up with most of its requirements, but there are multiple packaging and metadata inconsistencies (language/installer mismatch, missing declared binaries in some subskills, presence of code despite an 'instruction-only' claim) that warrant caution before installing and allowing autonomous invocation for a payments-capable skill.
Guidance: This appears to be a legitimate Sardis payment integration, but several red flags mean you should be careful before installing or letting it run autonomously: 1) Packaging/installer mismatch — the bundle includes Python source and a pyproject.toml but the SKILL.md suggests an npm SDK; clarify which runtime and installer are actually required. 2) Code present — although the SKILL.md shows only curl examples, the included Python code could read ~/.sardis/config.json or other local files; inspect the code (src/) to confirm what it accesses before trusting it. 3) Binaries mismatch — some subskills use jq in examples but the top-level metadata does not declare jq as required; ensure you have the listed tools and understand expected behavior. 4) Autonomous invocation + payments = real money risk — only enable model/autonomous invocation if the API key is scoped/revocable, limits are enforced server-side, policy enforcement is robust, and there is an approval/notification workflow. Recommended steps: review the Python source files to confirm they only call api.sardis.sh and don't phone home elsewhere; verify the GitHub repository and upstream package (sardis SDK) are the official project; use a restricted, revocable API key in a sandbox wallet for initial testing; and require manual approval or strong server-side policy checks before allowing live transactions.

Review Dimensions

Purpose & Capability: noteThe skill is a payments/payment-management integration and requests only the expected credentials (SARDIS_API_KEY, SARDIS_WALLET_ID) and curl. That matches the stated capabilities (payments, balances, policy enforcement). Minor mismatches: some subskills' SKILL.md examples use jq but the top-level required binaries list only curl; the package includes both Python code and a pyproject.toml (Python dependencies) while SKILL.md metadata suggests installing an npm package (@sardis/sdk). These inconsistencies don't prove malice but are unexpected for a single coherent distribution.
Instruction Scope: noteThe runtime instructions in SKILL.md restrict network calls to the Sardis API (api.sardis.sh) and emphasize policy checks and audit logging. They do not instruct exfiltration to unrelated endpoints. However the metadata declares a config path (~/.sardis/config.json) and code files are present in the bundle (Python package) — the SKILL.md text does not explain how/when that config is read. Because the bundle contains code that could read that file or other env variables at runtime, the instruction set as-distributed is broader than the plain curl examples.
Install Mechanism: concernRegistry metadata said 'No install spec — instruction-only', but the published package contains a pyproject.toml and multiple Python source files. Meanwhile SKILL.md metadata suggests installing an npm package (@sardis/sdk). This language/installer mismatch (Python package files vs npm install suggestion) is a packaging inconsistency that increases risk because it's unclear what will actually run or be installed. There is no explicit remote download URL or other high-risk installer, but the ambiguity about which runtime (Python vs Node) and the presence of local code makes the install/behavior surface larger than the simple curl examples.
Credentials: noteThe skill only requires SARDIS_API_KEY (primary) and SARDIS_WALLET_ID — both are expected for payment integration. It also declares a config path (~/.sardis/config.json) which could hold additional secrets or wallet config; that is proportionate to a payment wallet integration but means the skill may access sensitive local state beyond environment variables. Also some subskill SKILL.md examples use jq (not included in top-level bins), indicating incomplete declared runtime prerequisites.
Persistence & Privilege: notealways is false (good). disable-model-invocation is false, so the agent may autonomously call this skill — this is normal for skills but is higher-risk for a payments-capable skill because an agent could execute transactions if given permission. There is no evidence the skill modifies other skills or global agent config, but the presence of code files raises a possibility of local behavior beyond the documented curl calls.