Signet Guardian

v0.1.0

Payment guard middleware for AI agents. Use whenever any skill is about to initiate a payment. Runs a preflight check against the user's policy (payments enabled, per-transaction limit, monthly cap). Returns ALLOW, DENY, or CONFIRM_REQUIRED. Other payment-capable skills must call signet-preflight before proceeding and signet-record after a successful payment.

⭐ 0· 805·0 current·0 all-time

by@rafalzacher1

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rafalzacher1/signet-guardian.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Signet Guardian" (rafalzacher1/signet-guardian) from ClawHub.
Skill page: https://clawhub.ai/rafalzacher1/signet-guardian
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install rafalzacher1/signet-guardian

ClawHub CLI

Package manager switcher

npx clawhub@latest install signet-guardian

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name and description (payment preflight, record, report, policy) align with included CLI and extension files. The skill only needs local config/refs and registers a config schema for the OpenClaw dashboard; it does not request unrelated cloud credentials or external services.

ℹ

Instruction Scope

Runtime instructions and CLI implement preflight, record, report and policy edit/migrate as described. The CLI reads the OpenClaw config file (path from OPENCLAW_CONFIG_PATH or default ~/.openclaw/openclaw.json) and falls back to references/policy.json; it appends ledger lines and logs DENY events. The policy-migrate/edit commands will read and (likely) write the OpenClaw config — review code/path handling before running to avoid accidental config overwrites. It does not perform outbound network requests.

✓

Install Mechanism

No install spec; this is instruction/CLI code you run locally. Dependencies are standard npm packages (prompts, tsx) declared in package.json and lockfile. There are no downloads from arbitrary URLs or extracted archives.

✓

Credentials

Skill declares no required env vars or credentials. It legitimately uses OPENCLAW_BASE_DIR / OPENCLAW_SKILL_DIR / OPENCLAW_CONFIG_PATH to find policy and ledger files; that is proportional to its purpose. Note: the CLI reads the whole OpenClaw config file (to find signet.policy), which could contain other settings — the skill does not send them anywhere but will access them locally.

✓

Persistence & Privilege

Does not request always:true and is not force-included. It writes only to its references directory and to OpenClaw config when migrating policy or when installed as an extension (the extension registers a schema). Ledger and lock files are local and expected for its function.

Assessment

This skill appears to do what it says: local preflight checks, ledger recording, and optional dashboard policy UI. Before installing, do the following: (1) review scripts/signet-cli.ts (and the migrate/edit code path) so you understand exactly how it reads/writes ~/.openclaw/openclaw.json and the references/ ledger; back up your OpenClaw config first; (2) be aware that denied attempts are appended to a local ledger that will contain payee, amount, and purpose — this is stored locally (no network calls shown) but could include sensitive metadata; (3) the migrate command may modify your global OpenClaw config — only run it if you trust the repo and have a backup; (4) installation as an OpenClaw extension requires copying files into your OpenClaw extensions path and restarting the gateway — follow those steps carefully. If you want extra assurance, run the test script in an isolated environment (or inspect/execute the CLI manually) before enabling it for real payments.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis

latestvk972fb8kwtrbr8c3egvt3tt8p9810nqa

805downloads

0stars

1versions

Updated 17h ago

v0.1.0

MIT-0

Signet Guardian — Payment Guard Middleware

Overview

Signet Guardian is a policy firewall for money actions. It does not intercept payments at runtime by itself; payment-capable skills must route through it by contract:

Before any payment: call signet-preflight (amount, currency, payee, purpose).
If result is ALLOW or CONFIRM_REQUIRED (and user has confirmed): the skill may proceed.
If result is DENY: do not proceed; tell the user the reason.
After a successful payment: call signet-record to append to the ledger.

This gives one place to enforce: master switch (payments on/off), max per transaction (e.g. £20), max per month (e.g. £500), and optional confirmation above a threshold (e.g. £5).

Concurrency: Preflight is advisory (no lock). Record enforces the monthly cap under a file lock ({baseDir}/references/.ledger.lock): it re-checks the cap before appending and refuses to record if the month would be exceeded. So the monthly limit is enforced at record time; idempotency and cap are both safe under concurrent calls. Preflight can still be used to fail fast; the definitive check is in record.

Currency: No FX conversion. The request currency must match the policy currency; otherwise preflight returns DENY. Conversion source/rules are not defined.

Policy (user configuration)

Source of truth: OpenClaw config first (signet.policy in the main config, e.g. editable in the Control UI if the extension is installed), then fallback to {baseDir}/references/policy.json. OpenClaw sets {baseDir} via OPENCLAW_SKILL_DIR or OPENCLAW_BASE_DIR.

Field	Meaning
`paymentsEnabled`	Master switch. If `false`, all payments are denied.
`maxPerTransaction`	Max amount allowed for a single transaction (e.g. 20).
`maxPerMonth`	Max total spend in the current calendar month (e.g. 500).
`currency`	ISO currency code (e.g. GBP, USD). Request currency must match.
`requireConfirmationAbove`	Above this amount, return CONFIRM_REQUIRED so the user must explicitly confirm (e.g. 5).
`blockedMerchants`	Optional list of substrings; payee matching any is denied.
`allowedMerchants`	Optional; if non-empty, only payees matching one of these are allowed.
`version`	Optional number for future policy migrations.

Default behaviour: If the policy file is missing or invalid, preflight returns DENY (default-deny).

Commands

`signet-preflight`

Run before initiating any payment. Validates: payments enabled, currency match, amount > 0 and ≤ max per transaction, (current month spend + amount) ≤ max per month, and optional merchant rules. Optionally requires explicit confirmation above a threshold. Amount must be greater than zero.

signet-preflight --amount 15 --currency GBP --payee "shop.example.com" --purpose "Subscription"

Optional:

--idempotency-key "unique-key" — Used when recording later to avoid duplicate ledger entries.
--caller-skill "skill-name" — Name of the skill invoking the guard (for audit).

Output (JSON):

{ "result": "ALLOW", "reason": "Within policy" } — Proceed with the payment.
{ "result": "CONFIRM_REQUIRED", "reason": "..." } — Ask the user for explicit confirmation; if they agree, proceed then call signet-record. (Confirmation is the caller’s responsibility.)
{ "result": "DENY", "reason": "..." } — Do not proceed. Notify the user.

Every DENY is logged to the audit trail.

Exit code: 0 for ALLOW or CONFIRM_REQUIRED, 1 for DENY.

`signet-record`

Call after a payment has successfully been made. Appends one line to the ledger (append-only). If an idempotency key was used in preflight, pass the same key here to avoid double-counting.

Record validation scope: signet-record re-checks only currency and monthly cap (under lock). It does not re-check paymentsEnabled or merchant allow/block lists. Policy enforcement (switch, merchants, per-tx limit) is done at preflight (and in an optional future authorize phase). Record is the post-success log; the cap check at record time prevents double-counting when concurrent preflights both allowed.

signet-record --amount 15 --currency GBP --payee "shop.example.com" --purpose "Subscription" --idempotency-key "sub-123"

Optional: --caller-skill "skill-name" for audit.

If the same idempotency-key was already recorded, the command is a no-op (idempotent).

`signet-report`

Shows spending and transaction history for the user.

signet-report --period today
signet-report --period month

`signet-policy`

Show, edit, or configure policy via wizard.

signet-policy --show    # Print current policy (config, then file)
signet-policy --edit    # Open policy.json in $EDITOR
signet-policy --wizard  # Interactive step-by-step setup (no JSON)
signet-policy --migrate-file-to-config  # One-time: copy file policy into OpenClaw config

Audit (ledger and deny log)

Ledger file: {baseDir}/references/ledger.jsonl. Format is strict JSONL: one JSON object per line, newline-separated (no space between entries). Each line contains:

ts — Timestamp UTC (ISO 8601).
callerSkill — Optional; skill that invoked preflight/record.
idempotencyKey — Optional; dedupe key for record.
status — completed or denied.
reason — Decision reason (especially for denials).
Plus: amount, currency, payee, purpose.

All preflight denials are appended to the same ledger with status: "denied" and a reason.

Critical Rules (for the agent)

Never skip preflight — Any payment from any skill must go through signet-preflight first. No exceptions.
Respect DENY — If preflight returns DENY, do not attempt the payment. Tell the user the reason.
CONFIRM_REQUIRED — If preflight returns CONFIRM_REQUIRED, ask the user explicitly (“Allow this payment of £X to Y?”). Only proceed if they confirm, then call signet-record.
Always record success — After a successful payment, call signet-record with the same amount, currency, payee, purpose, and idempotency key (if used).
Idempotency — For critical flows, use a stable --idempotency-key (e.g. order ID or request ID) so retries do not double-count in the monthly total.
Default-deny — If the policy file is missing or corrupt, the skill denies by default.
Record is authoritative for cap only — The monthly cap is enforced when recording (under lock). If signet-record fails with a cap error, the payment already happened; do not retry without user confirmation. For cap-safe flows before payment, a future authorize (reservation under lock) then settle (convert reservation to completed) pattern can reserve budget before the payment is made.

First Run

On first use, the user must have a valid {baseDir}/references/policy.json. Run signet-policy --show to see current policy; if missing, create it (e.g. via signet-policy --edit) with at least:

paymentsEnabled: true/false
maxPerTransaction: number
maxPerMonth: number
currency: e.g. "GBP"
requireConfirmationAbove: number (e.g. 5)

Ledger lives at {baseDir}/references/ledger.jsonl; no extra setup required.

Comments

Loading comments...