ClawHub

Sardis Policy

v1.0.0

Natural language spending policy creation and management for Sardis agent wallets

0· 217·0 current·0 all-time
by@efedurmaz16
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, required binaries (curl, jq) and required env var (SARDIS_API_KEY) align with making HTTP calls to a Sardis API to create/manage policies. Small inconsistencies: registry metadata reported 'No install spec' and 'Homepage: none', yet SKILL.md includes a homepage (https://sardis.sh) and an install hint (npm: @sardis/sdk). These are likely bookkeeping issues but should be clarified.
Instruction Scope
SKILL.md only shows curl-based calls to the Sardis API and sample usage that requires wallet IDs and the SARDIS_API_KEY. There are no instructions to read local files, secrets beyond SARDIS_API_KEY, or to exfiltrate data to unrelated endpoints. The instructions are scoped to policy creation, listing, testing, and template usage.
Install Mechanism
Registry metadata indicated 'No install spec', but SKILL.md contains an 'install' block recommending npm install of '@sardis/sdk'. Installing an npm SDK is a common, moderate-risk action if performed, but the mismatch between declared install spec and SKILL.md is an inconsistency that should be resolved so you know whether the platform will fetch/execute that package.
Credentials
Only SARDIS_API_KEY is required and is appropriate for an API that manages spending policies. No other unrelated secrets, config paths, or broad credentials are requested.
Persistence & Privilege
The skill is user-invocable and allowed to be invoked autonomously (disable-model-invocation: false), which is the platform default. Because actions affect agent wallets (policy creation is immutable per the doc), consider whether you want agents to call this skill autonomously. There is no 'always: true' or other elevated persistence requested.
Assessment
Before installing, verify the source and installation behavior: 1) Confirm the official Sardis homepage (https://sardis.sh) and the npm package @sardis/sdk are legitimate and reviewed; the SKILL.md references that package but the registry shows no install spec—ask whether your platform will run npm install automatically. 2) Ensure the SARDIS_API_KEY you provide is minimally scoped (test/dev key if possible) and rotate it if you later uninstall. 3) Test the skill against a non-production/test wallet to confirm the API endpoints behave as documented and to understand the immutability/migration implications. 4) If you don't want autonomous agents creating immutable policies, consider disabling autonomous invocation for this skill. 5) If the platform would perform npm installs, inspect the package contents (or its provenance) before allowing installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k5a5qhbpyeax2fr63akwxx82gs1w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binscurl, jq
EnvSARDIS_API_KEY
Primary envSARDIS_API_KEY

Comments