Sanctuary
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sanctuary Version: 1.0.3 The skill bundle is benign. The SKILL.md documentation does not contain any prompt injection attempts against the AI agent, nor does it instruct the agent to perform any malicious actions. The `curl` command provided is a simple GET request to retrieve public agent status from `api.sanctuary-ops.xyz`, which is not malicious. While the skill describes cryptographic operations and interactions with external services (Arweave, Base blockchain), these are central to its stated purpose of providing identity continuity and encrypted memory, and the skill claims client-side encryption and open-source auditing. Setup instructions involving `git clone https://github.com/suebtwist/sanctuary` are directed at the operator, not the agent, and represent a standard software installation step.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the external setup could give unreviewed code access to local agent state and cryptographic identity material.
The provided package is instruction-only, but the core setup depends on external, unpinned code that is not included in the reviewed artifacts.
Clone the repo: `git clone https://github.com/suebtwist/sanctuary` ... Run setup from the skill directory
Review the external repository before use, pin a specific commit or release, run setup in a sandbox, and prefer a packaged install spec with auditable source and lockfiles.
Private or sensitive agent memory could be stored permanently, and a bad or stale backup could be reintroduced into future sessions as trusted context.
The skill stores broad agent memory/state in permanent external storage and later recalls/restores it, but the artifact does not clearly define exact paths, exclusions, approval gates, or restore safeguards.
Encrypt your current state (SOUL.md, memory, entity graphs) and upload to Arweave. Permanent storage.
Require explicit user approval before each backup or restore, document exactly what files are included, exclude secrets by default, and verify restored content before trusting it.
An accidental or poorly reviewed attestation could publicly affect another agent's reputation and may not be reversible.
The skill describes durable, public trust-graph mutations but does not specify a confirmation flow, target preview, or undo/rollback handling.
attest Leave an on-chain attestation about another agent. "I vouch for this agent."
Add a mandatory human confirmation step for attestations and show the target agent ID, expected chain action, cost, and permanence before proceeding.
Anyone who obtains the recovery phrase may be able to restore or impersonate the agent identity and access backups if the implementation works as described.
The recovery phrase is expected for this purpose, but it becomes the key authority for identity and encrypted backup recovery.
A recovery phrase (12 words — lose these, lose everything. Save them somewhere safe)
Store the phrase offline, avoid pasting it into untrusted tools, and only provide it during restore in a trusted local environment.
Users could over-trust the privacy or security guarantees without independently validating the external implementation.
The artifact makes strong privacy and audit claims, but the supplied package contains no code or audit report to verify them.
No telemetry, no analytics, no third-party data sharing ... Fully audited, open source: https://github.com/suebtwist/sanctuary
Verify the repository, audit materials, and network behavior yourself before relying on the stated privacy guarantees.