Back to skill
Skillv1.1.1
ClawScan security
Guardrail Agent Smart Account Wallets · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:49 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (deploying and enforcing ERC-4337 smart-account policies) aligns with its runtime instructions and requested environment variables; nothing in the package suggests unrelated or hidden behavior.
- Guidance
- This skill appears internally consistent, but review these operational risks before installing: 1) Vet the AgentGuardrail service and any external signer you use (hosting, auth, audit, revocation). 2) Never paste private keys; prefer external signers, wallet prompts, or short-lived session keys as documented. 3) Treat GUARDRAIL_RPC_URL and any signer auth tokens as sensitive and store them in secure secret storage. 4) Test on a non-production chain (e.g., Sepolia/testnet) to verify deployed contracts and policies behave as you expect. 5) If you plan to self-host components or override GUARDRAIL_API_URL, audit the code and contracts you will interact with. Finally, consider limiting or disabling autonomous agent invocation for any skill that can prepare transactions unless you trust the signing workflow and governance around it.
Review Dimensions
- Purpose & Capability
- okName/description request JSON-RPC access and a signing mode; the required env vars (GUARDRAIL_CHAIN_ID, GUARDRAIL_RPC_URL, GUARDRAIL_SIGNING_MODE) match the stated on-chain deployment/signing needs. Optional secrets (signer endpoint/token, dashboard API key) are appropriate for the described management and signing modes.
- Instruction Scope
- noteSKILL.md is an instruction-only spec that stays on-topic: it explains building UserOperations, on-chain validation, and management via the AgentGuardrail API. It explicitly forbids asking for private keys in chat and instructs read-only operation when signing is not configured. Note: the instructions include sending transactions/validation requests to external endpoints (agentguardrail.xyz or an external signer) — this is expected for the purpose but is an important external-data flow to review before use.
- Install Mechanism
- okNo install spec and no code files — instruction-only skills have minimal filesystem/install risk. Nothing is downloaded or executed by default.
- Credentials
- okThe requested environment variables are proportional and well-justified for on-chain operations. Marking GUARDRAIL_RPC_URL as primary is reasonable (RPC endpoints often contain API keys). Optional signer endpoint and auth token are appropriate only when using external_signer.
- Persistence & Privilege
- okThe skill is not 'always' enabled and requires user invocation. It doesn't request system or other-skill config paths, nor does it demand persistent privileges beyond connection strings and optional API tokens.