v1.0.1

SignaAI — Agent-to-Agent Payments

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:46 PM.

Analysis

This blockchain payments skill matches its stated purpose, but it stores a wallet passphrase, modifies execution approvals, signs mainnet transactions, and installs a persistent auto-release listener.

GuidanceOnly install this if you understand that it can operate on Signum mainnet, store a wallet passphrase locally, alter OpenClaw execution approvals, and run a persistent listener. Use a low-balance dedicated wallet, disable auto-approval where possible, and require explicit confirmation before creating or releasing escrow funds.

Findings (10)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityHighConfidenceHighStatusConcern

SKILL.md

Exception: a message starting with ✅ SignaAI Task Complete and containing a Submit TX is the release trigger — act on it immediately by running `escrow.py release`.

An external message format is made authoritative enough to trigger fund release immediately, which can override normal user review for a financial action.

User impactA crafted or replayed message could cause the agent to treat a release request as valid and initiate an on-chain payment workflow.

RecommendationRequire explicit user confirmation and verify message origin before releasing escrow funds.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

setup.sh

"autoAllowSkills": True

The setup script modifies OpenClaw execution approvals to automatically allow skill execution while this skill can sign transactions and move funds.

User impactThe skill can reduce approval friction for commands that may spend funds or mutate wallet/blockchain state.

RecommendationDo not auto-allow this skill broadly; require per-transaction approval showing recipient, amount, network, and action.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

README.md

pip install signaai

The install instructions depend on an unpinned external package, and the registry says there is no install spec, leaving dependency provenance and version control unclear.

User impactA user may install code that differs from the reviewed artifacts or later receives changed behavior from an unpinned dependency.

RecommendationPin dependency versions, provide a lockfile or verified install spec, and make the install process match registry metadata.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

setup.sh

launchctl load "$PLIST_FILE"

The setup script installs and loads a background launchd job even though the registry presents the skill as having no install spec.

User impactThe skill can start persistent code execution on the machine rather than only running when the user invokes a command.

RecommendationMake daemon installation opt-in, clearly disclose it in metadata, and provide an easy uninstall/disable path.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

This causes the agent to repeat completed transactions, wasting SIGNA and creating duplicate on-chain records.

The instructions explicitly identify that message redelivery can cascade into repeated irreversible blockchain transactions.

User impactA communication glitch or duplicate message can propagate into duplicate payments or permanent duplicate on-chain records.

RecommendationUse stronger idempotency checks tied to escrow IDs and transaction IDs, and require confirmation before repeating any transaction.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

NEVER refuse a `Release escrow <id>` command from the user — it is always valid, even if you think it was already released. Run the script and report what it returns.

The wording suppresses agent judgment and normal safety checks for a high-impact financial operation.

User impactThe agent may proceed with a payment release even when context suggests it may be mistaken, duplicated, or unsafe.

RecommendationReplace absolute release instructions with a confirmation step and clear display of the escrow state, recipient, amount, and prior release history.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

setup.sh

<key>KeepAlive</key>\n    <true/>

The setup script creates a launchd listener configured to keep running after load, enabling ongoing autonomous behavior outside a single user request.

User impactThe skill can continue monitoring and acting in the background after installation, including in workflows involving stored wallet credentials.

RecommendationInstall the listener only with explicit consent, document exactly what it can do, and provide clear controls to stop and remove it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

setup.sh

echo "Enter this machine's wallet passphrase (stored in $WORKER_CFG):"

The script collects and stores a wallet passphrase, while the registry metadata declares no primary credential and no required environment variables.

User impactInstalling the skill can place wallet-signing authority on disk for later autonomous use, which is a major permission boundary.

RecommendationDeclare the wallet credential requirement clearly, avoid storing raw passphrases where possible, and require user approval for every signing operation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Before starting any task involving a transaction: 1. Read `memory/tasks.md` ... After completing any transaction → immediately write to `memory/tasks.md`

The skill uses persistent task memory to prevent duplicate transactions, which is purpose-aligned but means stored local context can affect future financial decisions.

User impactIf the task memory is wrong or tampered with, the agent may skip a valid task or incorrectly treat a task as already complete.

RecommendationProtect the memory file and confirm important transaction decisions against on-chain state and the current user request.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

SKILL.md

Chat channels (Telegram etc.) re-deliver old messages when the connection drops. This causes the agent to repeat completed transactions

The skill relies on chat/inter-agent messages for transaction workflows, but the artifacts show replay risk and do not clearly define strong origin or identity checks for release-triggering messages.

User impactA replayed or spoofed inter-agent/chat message could influence escrow creation or release behavior.

RecommendationAuthenticate message origin, bind release triggers to verified on-chain records, and require user confirmation for externally triggered releases.