ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sign-in with Agent

v0.0.4

SIWA (Sign-In With Agent) authentication for ERC-8004 registered agents.

0· 1.1k·2 current·2 all-time
byBuilders Garden@buildersgarden
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (SIWA for ERC-8004 agents) aligns with the content: signing, verification, onchain registration, multiple signer backends, and ERC-8128 authenticated requests. The included signer adapters (Bankr, Circle, Privy, private-key, keyring proxy) are consistent with the stated purpose.
!
Instruction Scope
The SKILL.md and companion docs instruct the agent/operator to run CLI commands inside a workspace (e.g. /home/node/.openclaw/workspace/siwa/packages/siwa-testing), to read SIWA_IDENTITY.md, and to install/use an npm package. They also show code that expects access to environment variables and to deploy/run a keyring proxy. Those runtime instructions go beyond a simple read-only doc: they expect filesystem access, running package installs, and use of secrets. The instructions also include links to external deploy buttons and Docker images which will cause network activity and external deployments if followed.
Install Mechanism
There is no formal install spec in the registry (instruction-only), lowering installer risk. However the docs tell users to run `npm install @buildersgarden/siwa` and other package installs, and recommend deploying a keyring-proxy Docker image (ghcr.io/builders-garden/siwa-keyring-proxy) or one-click Railway deploys. That means following the docs will fetch code from npm/ghcr/railway — normal for an SDK, but you should verify those packages/images/repos before running them.
!
Credentials
Registry metadata lists no required environment variables, but the documentation and examples reference many sensitive variables (KEYRING_PROXY_SECRET, KEYRING_PROXY_URL, PRIVATE_KEY, BANKR_API_KEY, PRIVY_APP_SECRET, CIRCLE_API_KEY, SIWA_SECRET, etc.). This is an inconsistency: the skill will not function without secrets for many signers or server setups, yet none are declared as required. Requesting private keys or HMAC secrets is plausible for this skill's function, but the lack of explicit declared requirements is a red flag and increases the chance of accidental secret exposure if the user follows the examples carelessly.
Persistence & Privilege
The skill does not set always:true and does not request persistent elevated privileges. It is instruction-only and does not declare any automatic self-enabling behavior. Nothing in the provided files indicates it will modify other skills' configs or demand permanent presence.
What to consider before installing
What to consider before installing/using this skill: - Incoherent metadata: the registry entry declares no required environment variables, but the documentation clearly expects many secrets (private keys, proxy HMAC secrets, API keys) for different signer backends. Treat the docs as authoritative: the skill will need secrets to operate. - Don’t paste private keys or shared HMAC secrets into a skill or chat. If you need signing, prefer a keyring/proxy deployed by you (self-hosted) and keep the proxy secret in your environment, not in chat or skill configuration. If you must test, use ephemeral testnet keys and testnet faucets. - Verify upstream packages/images before running installs or deploys: the docs reference npm package @buildersgarden/siwa and a GHCR Docker image and Railway deploy links. Inspect the npm package repository, its maintainers, and the container image contents before running them in any environment you care about. - The instructions expect filesystem access (specific workspace paths) and running pnpm/npm commands. Only run these commands in a controlled environment (isolated dev VM or container), not on sensitive production hosts. - Reverse CAPTCHA and captcha-solve helpers require the agent to generate content under constraints; that is not inherently malicious but could inadvertently leak generated content to the server endpoints shown. Confirm the server endpoints you will talk to and that you trust them. - Because the package is instruction-only in the registry and source/homepage are unknown, ask the skill author for the canonical repository URL, the npm package link, and the source for the Docker image. Without those you cannot easily audit the code you will install. If you plan to proceed: (1) audit the @buildersgarden/siwa npm package and the referenced Docker image; (2) prefer the keyring-proxy approach to avoid exposing private keys, and host it yourself; (3) use testnets and throwaway credentials for initial experiments; (4) ensure SIWA_SECRET and other server secrets are never stored in public or shared chat.

Like a lobster shell, security has layers — review code before you run it.

alphavk97btwffpztsrpv047z19wa4q580z27xlatestvk97fzh3z7d7dvhsrbdrfqa3zg581crwb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments