Signet Guardian
ReviewAudited by ClawScan on May 10, 2026.
Overview
This payment-guard skill is mostly coherent, but its bundled fallback policy has payments enabled, so it could allow payment-capable skills to proceed before the user has explicitly configured their own policy.
Before installing, set an explicit Signet policy in OpenClaw config and consider changing paymentsEnabled to false until you opt in. Verify that any payment-capable skill you use actually calls and obeys Signet preflight/record results, and remember that the ledger stores local payment history.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Payment-capable skills that honor Signet may be told that small payments are allowed using the packaged defaults, not a policy the user explicitly created.
The SKILL.md and code describe references/policy.json as the fallback policy after OpenClaw config. Because the bundled fallback enables payments, a fresh or unconfigured setup can return ALLOW under these limits instead of requiring the user to opt in first.
"paymentsEnabled": true, "maxPerTransaction": 20, "maxPerMonth": 500, "currency": "GBP", "requireConfirmationAbove": 5
Ship the fallback policy with paymentsEnabled set to false, or require an explicit first-run configuration step before any ALLOW result is possible.
The guard is only effective when every payment-capable skill is integrated correctly.
The guard depends on cooperating payment skills. If another skill skips preflight, ignores DENY, or fails to handle CONFIRM_REQUIRED correctly, Signet will not technically block the payment.
It does not intercept payments at runtime by itself; payment-capable skills must route through it by contract
Use it only with payment skills that explicitly call signet-preflight before payment and signet-record after payment, and verify confirmation handling.
Running the edit command executes whatever editor command is configured in the environment.
The CLI can spawn a local editor for policy editing. This matches the documented signet-policy --edit behavior, but it is still local command execution influenced by the user's editor setting.
const result = spawnSync(editorCmd, [...editorArgs, POLICY_PATH], {Run signet-policy --edit only in a trusted shell environment and with a trusted EDITOR configuration.
Local files may accumulate sensitive financial history that other local processes or future reports can read.
The skill persistently stores transaction and denial history locally, including payees and payment purposes.
Ledger file: `{baseDir}/references/ledger.jsonl`... Plus: amount, currency, payee, purpose.Treat the ledger as sensitive data, restrict local file access, and periodically review or archive it according to your privacy needs.
Using the CLI may require installing or running packages from the Node ecosystem.
Although registry metadata lists no install spec or required binaries, the documented workflow relies on Node tooling and npm/pnpm packages.
Node.js 18+ - `tsx` (used via `npx`, or install locally) ```bash pnpm install # or: npm install ```
Install from a trusted source, review package-lock/pnpm-lock contents, and prefer pinned/local dependencies over ad-hoc npx execution where possible.