ClawHub
Back to skill
v0.1.0

Signet Guardian

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

This is a coherent local payment guard, but it ships with a fallback policy that enables limited payments by default, so it deserves careful review before use with real payment tools.

GuidanceBefore using this with real payment-capable skills, explicitly review and set the policy—ideally start with paymentsEnabled=false until you are ready. Verify that any payment skill calls preflight, honors CONFIRM_REQUIRED with real user confirmation, and records successful payments. Protect the OpenClaw config and ledger files, and run the policy editor only with a trusted local editor.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
references/policy.json
"paymentsEnabled": true,
  "maxPerTransaction": 20,
  "maxPerMonth": 500,
  "requireConfirmationAbove": 5

This bundled fallback policy is permissive. Because the skill documents falling back to references/policy.json when no OpenClaw config policy is present, a fresh install can allow limited payments instead of starting disabled.

User impactIf another payment-capable skill uses this guard, it may receive ALLOW for small payments under the bundled limits before the user has explicitly configured the policy.
RecommendationSet paymentsEnabled to false until the user intentionally configures limits, or ship the fallback policy disabled by default and require an explicit setup step before allowing payments.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
It does not intercept payments at runtime by itself; payment-capable skills must route through it by contract

The guard only works when other payment skills voluntarily call it and correctly honor its result.

User impactA payment tool that skips preflight, ignores CONFIRM_REQUIRED, or forgets to call record can bypass or weaken the intended protection.
RecommendationUse this only with trusted payment skills that explicitly integrate signet-preflight and signet-record, and verify they parse the JSON result rather than relying only on exit codes.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/signet-cli.ts
const result = spawnSync(editorCmd, [...editorArgs, POLICY_PATH], {

The CLI can execute an external editor command for policy editing.

User impactRunning the edit command will execute whatever editor command is selected, so a malicious or unexpected $EDITOR value could run unwanted local code.
RecommendationOnly run signet-policy --edit with a trusted editor environment, and prefer the wizard or dashboard for users who do not manage shell editor settings.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/signet-cli.ts
return path.join(process.env.HOME || '', '.openclaw', 'openclaw.json');

The CLI reads OpenClaw's main config as the first source of truth for signet.policy, which is appropriate for dashboard-managed policy but affects agent payment authorization.

User impactAnyone or any process that can change this config can change the payment policy used by the guard.
RecommendationProtect the OpenClaw config file, review signet.policy after installation, and limit write access to trusted users/tools.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Ledger file: `{baseDir}/references/ledger.jsonl`... Plus: amount, currency, payee, purpose.

The skill persists payment and denial history, including payees and purposes, in a local ledger.

User impactThe local ledger can reveal financial activity or attempted purchases to anyone with access to the skill directory.
RecommendationStore the skill directory securely, avoid putting sensitive details in purpose fields, and periodically review or rotate the ledger if needed.