Sardis Policy
ReviewAudited by ClawScan on May 18, 2026.
Overview
This skill matches its stated Sardis wallet-policy purpose, but it can create persistent spending policies with a Sardis API key without clear confirmation safeguards.
Install only if you intend to let the agent help manage Sardis wallet spending policies. Before use, make sure the agent must ask before creating or migrating policies, verify every wallet ID and spending rule, and use the narrowest Sardis API key available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could create or alter spending-control policies for a Sardis wallet in a way that affects future wallet spending behavior.
The skill instructs the agent how to make remote policy-creation API calls. These are purpose-aligned, but they mutate financial wallet controls and the artifacts do not show an explicit approval or review step before POSTing.
curl -X POST https://api.sardis.sh/v2/policies
Require explicit user confirmation before any POST or migration action, and review the generated rules, wallet ID, limits, vendors, and approval thresholds before sending the request.
Anyone or any agent action using this key may be able to access or modify Sardis wallet policy data within the key's permissions.
The skill uses a Sardis API key as a bearer credential for API calls. This is expected for the integration, but it is sensitive because it authorizes wallet policy operations.
Authorization: Bearer $SARDIS_API_KEY
Use a least-privilege Sardis API key if available, keep it out of logs and shared prompts, and revoke or rotate it if exposed.
If an installer or user chooses to install the referenced package, additional code outside the reviewed artifact may run or be used.
The SKILL.md metadata references an npm package even though the provided registry context describes the skill as instruction-only with no install spec. No automatic execution is shown, but the package reference is unpinned and not otherwise reviewed here.
install:
npm:
- "@sardis/sdk"Verify whether the package is actually installed, pin trusted versions where possible, and review the package provenance before using it.