ClawHub
Back to skill

Security audit

Sardis Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a real-money payments skill with coherent intent, but it exposes broad financial actions and sensitive card/identity workflows without enough user-confirmation and scoping safeguards.

Install only with sandbox or low-limit Sardis credentials, confirm every payment/card/escrow/policy action manually, avoid exposing card reveal responses in chat/logs, and review the bundled extra capabilities before allowing model invocation or production wallet access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares and demonstrates live network payment capabilities via curl and remote API endpoints, but the metadata shown does not declare corresponding permissions. In a payment-execution skill, this mismatch is dangerous because it can obscure the real capability surface from users or policy engines and enable outbound financial actions without explicit permission review.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The package metadata names the project "sardis-openclaw" and describes it as an OpenClaw skill, while the supplied skill metadata identifies it as a payment skill. This kind of identity/scope mismatch can mislead reviewers, operators, and dependency consumers about what is being installed, reducing transparency and making it easier for risky payment-related capability to be misclassified or trusted under the wrong name.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill’s security model says full card numbers and CVVs must never be exposed, yet the documentation includes a full PAN/CVV example. Even if these appear to be sample values, embedding realistic payment-card secrets in docs normalizes unsafe handling and increases the chance that downstream agents, wrappers, or users will log, display, or copy sensitive reveal payloads into insecure places.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
This section explicitly labels the reveal endpoint as sensitive and says the response must never be logged or displayed, but then prints the full sensitive payload in the docs. In an agent-skill context, examples are often imitated verbatim, so this contradiction materially increases the chance of secret disclosure of live card data through model outputs, logs, traces, chat transcripts, or observability tooling.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file metadata and body describe an identity-management skill, while the surrounding package context says this is a payment skill. That mismatch can cause reviewers, policy engines, or users to authorize the skill under the wrong trust assumptions, potentially granting identity and reputation operations where only payment behavior was expected.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented capabilities include identity registration, credential retrieval, reputation submission, and identity card issuance, which are broader than a payment-only purpose. In an agent ecosystem, overbroad capabilities increase the chance of unnecessary sensitive-data processing and privilege creep, especially because identities are described as tied to payment capabilities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes payment execution and virtual card issuance as agent capabilities but does not prominently warn that these actions can move real funds or create real financial obligations. In an agent-skill context, omission of an explicit financial-risk warning increases the chance that operators test or enable the skill in production-like environments and trigger irreversible transactions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start section includes live POST examples for payments and card creation using real API endpoints and bearer tokens, without any caution that these requests may execute real financial operations. Users may copy-paste these commands with valid credentials and unintentionally send funds or issue cards, causing immediate monetary impact.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description is broad enough to match many ordinary purchase or card-management requests without making clear that this skill performs real financial operations. Overbroad routing is dangerous for agent systems because it can cause invocation in contexts lacking explicit user approval, policy checks, or human review for card issuance and spend-control changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation provides operational instructions for issuing cards, revealing card details, changing limits, unfreezing, terminating, and bulk freezing cards, but it does not clearly require explicit authorization or warn that these actions have real financial and availability consequences. In an AI-agent setting, omission of such guardrails materially increases the risk of unauthorized spending, card misuse, service disruption, or accidental destructive actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents creation, funding, release, and especially auto-release of escrowed funds, but it does not prominently warn that these actions can cause real, potentially irreversible financial transfers. In an agent skill context, missing transaction-risk warnings increases the chance that users or downstream agents invoke payment flows without adequate human confirmation or understanding of settlement consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends agent identity, wallet, reputation, and transaction-linked data to an external API but does not provide an explicit user-facing warning about what data leaves the local environment. This can lead to uninformed disclosure of sensitive operational and identity information to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"name": "Daily Limit", "description": "Max $500/day"}'

# Execute payment (sardis-payment)
curl -X POST https://api.sardis.sh/v2/payments \
  -H "Authorization: Bearer $SARDIS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"wallet_id": "wallet_123", "to": "0x...", "amount": "25.00", "token": "USDC"}'
Confidence
82% confidence
Finding
https://api.sardis.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"wallet_id": "wallet_123", "to": "0x...", "amount": "25.00", "token": "USDC"}'

# Issue virtual card (sardis-cards)
curl -X POST https://api.sardis.sh/v2/cards \
  -H "Authorization: Bearer $SARDIS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "agent_123", "spending_limit": {"daily": "500.00"}}'
Confidence
81% confidence
Finding
https://api.sardis.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Only proceed if allowed
if echo $POLICY_CHECK | grep -q '"allowed":true'; then
  curl -X POST https://api.sardis.sh/v2/payments \
    -H "Authorization: Bearer $SARDIS_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{"wallet_id": "'$SARDIS_WALLET_ID'", "to": "0x...", "amount": "25.00", "token": "USDC", "chain": "base"}'
Confidence
78% confidence
Finding
curl -X POST https://api.sardis.sh/v2/payments \ -H "Authorization: Bearer $SARDIS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: Only proceed if allowed
if echo $POLICY_CHECK | grep -q '"allowed":true'; then
  curl -X POST https://api.sardis.sh/v2/payments \
    -H "Authorization: Bearer $SARDIS_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{"wallet_id": "'$SARDIS_WALLET_ID'", "to": "0x...", "amount": "25.00", "token": "USDC", "chain": "base"}'
Confidence
78% confidence
Finding
https://api.sardis.sh/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal