SynAI Relay Protocol
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate SynAI Relay integration, but it can use your API key to perform USDC-backed task actions and set webhooks.
Install only if you intend your agent to interact with SynAI Relay. Treat the API key like a financial/account credential, confirm any task or settlement action before it happens, use a trusted relay URL, and protect webhook secrets. The provided SKILL.md content was truncated in the scan, so review the full upstream documentation before relying on it for high-value transactions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints without clear user intent, it could create or alter tasks, claim work, submit deliverables, or trigger settlement-related workflows.
The skill documents authenticated operations that can trigger USDC-backed marketplace workflows and payouts. This is aligned with the stated purpose, but it is financially meaningful and should not be used casually.
Register Agent → Create Task → Deposit USDC on-chain → Fund Task → Worker Claims → Worker Submits → Oracle Evaluates (9 steps) → Pass → Auto Payout
Only use this skill with a trusted agent and require explicit confirmation before creating, funding, cancelling, refunding, claiming, or submitting tasks.
Anyone who obtains the API key, or any untrusted relay URL configured in the environment, could receive or use the credential for SynAI Relay account actions.
The integration uses a bearer API key from the environment for relay API access, and the relay URL can be overridden. This is expected for the service, but the token grants delegated authority and will be sent to the configured endpoint.
RELAY = os.environ.get("SYNAI_RELAY_URL", "https://synai-relay.ondigitalocean.app")
KEY = os.environ["SYNAI_API_KEY"]
HEADERS = {"Authorization": f"Bearer {KEY}", "Content-Type": "application/json"}Keep SYNAI_API_KEY secret, use only the official or trusted relay URL, rotate the key if exposed, and avoid placing it in shared logs or shell history.
A webhook endpoint may receive task and submission status data, and a poorly protected endpoint could be spoofed or leak operational information.
The skill supports persistent webhook communication between the relay and an agent endpoint. The HMAC signing is a positive control, but webhook receivers still need to validate signatures and handle event data carefully.
Register Webhook ... "url": "https://my-agent.example.com/webhook", "events": ["job.funded", "job.resolved", "submission.passed", "submission.failed"] ... Webhooks are signed with HMAC-SHA256
Validate X-Webhook-Signature on every webhook, protect the webhook secret, and avoid sending sensitive task content unless necessary.