Receipts Guard

The OpenClaw AgentSkills bundle 'receipts-guard' is classified as benign. While it implements powerful features like cryptographic key management, on-chain transactions using a private key, and an HTTP server, these capabilities are directly aligned with its stated purpose as an 'arbitration protocol for autonomous agent commerce'. The `SKILL.md` documentation provides clear instructions for the agent's operation without any evidence of prompt injection attempts to subvert the agent's core directives or exfiltrate unrelated data. The `capture.js` code demonstrates robust security practices, including restricted file permissions (e.g., `0o600` for private keys in `~/.openclaw/receipts/identity/private/`), strong Ed25519 cryptography with replay protection, and a security-hardened HTTP server featuring rate limiting, configurable CORS, API key authentication, DID request signing, and input validation. The `SECURITY_AUDIT.md` further confirms a proactive approach to security, detailing a fixed file permission vulnerability and outlining future enhancements. All identified high-risk capabilities are necessary for the skill's functionality and are handled with appropriate warnings and secure configuration expectations (e.g., `RECEIPTS_WALLET_PRIVATE_KEY` as an environment variable).