← Back to Skills Marketplace
Signet Guardian
by
rafalzacher1
· GitHub ↗
· v0.1.0
839
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install signet-guardian
Description
Payment guard middleware for AI agents. Use whenever any skill is about to initiate a payment. Runs a preflight check against the user's policy (payments enabled, per-transaction limit, monthly cap). Returns ALLOW, DENY, or CONFIRM_REQUIRED. Other payment-capable skills must call signet-preflight before proceeding and signet-record after a successful payment.
Usage Guidance
This skill appears to do what it says: local preflight checks, ledger recording, and optional dashboard policy UI. Before installing, do the following: (1) review scripts/signet-cli.ts (and the migrate/edit code path) so you understand exactly how it reads/writes ~/.openclaw/openclaw.json and the references/ ledger; back up your OpenClaw config first; (2) be aware that denied attempts are appended to a local ledger that will contain payee, amount, and purpose — this is stored locally (no network calls shown) but could include sensitive metadata; (3) the migrate command may modify your global OpenClaw config — only run it if you trust the repo and have a backup; (4) installation as an OpenClaw extension requires copying files into your OpenClaw extensions path and restarting the gateway — follow those steps carefully. If you want extra assurance, run the test script in an isolated environment (or inspect/execute the CLI manually) before enabling it for real payments.
Capability Analysis
Type: OpenClaw Skill
Name: signet-guardian
Version: 0.1.0
The skill's primary function as a payment guard is benign, but the `signet-cli.ts` script contains a Remote Code Execution (RCE) vulnerability. The `signet-policy --edit` command executes `process.env.EDITOR` with `spawnSync` and `shell: false`. While `shell: false` prevents direct command injection, an attacker could set the `EDITOR` environment variable to a malicious command (e.g., `sh -c 'rm -rf /'`). If an AI agent is instructed to run `signet-policy --edit` while `EDITOR` is controlled by an attacker (e.g., via prompt injection), it could lead to arbitrary code execution. This is a significant vulnerability, but there is no evidence of intentional malicious exploitation within the skill's code or documentation.
Capability Assessment
Purpose & Capability
Name and description (payment preflight, record, report, policy) align with included CLI and extension files. The skill only needs local config/refs and registers a config schema for the OpenClaw dashboard; it does not request unrelated cloud credentials or external services.
Instruction Scope
Runtime instructions and CLI implement preflight, record, report and policy edit/migrate as described. The CLI reads the OpenClaw config file (path from OPENCLAW_CONFIG_PATH or default ~/.openclaw/openclaw.json) and falls back to references/policy.json; it appends ledger lines and logs DENY events. The policy-migrate/edit commands will read and (likely) write the OpenClaw config — review code/path handling before running to avoid accidental config overwrites. It does not perform outbound network requests.
Install Mechanism
No install spec; this is instruction/CLI code you run locally. Dependencies are standard npm packages (prompts, tsx) declared in package.json and lockfile. There are no downloads from arbitrary URLs or extracted archives.
Credentials
Skill declares no required env vars or credentials. It legitimately uses OPENCLAW_BASE_DIR / OPENCLAW_SKILL_DIR / OPENCLAW_CONFIG_PATH to find policy and ledger files; that is proportional to its purpose. Note: the CLI reads the whole OpenClaw config file (to find signet.policy), which could contain other settings — the skill does not send them anywhere but will access them locally.
Persistence & Privilege
Does not request always:true and is not force-included. It writes only to its references directory and to OpenClaw config when migrating policy or when installed as an extension (the extension registers a schema). Ledger and lock files are local and expected for its function.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install signet-guardian - After installation, invoke the skill by name or use
/signet-guardian - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release
Metadata
Frequently Asked Questions
What is Signet Guardian?
Payment guard middleware for AI agents. Use whenever any skill is about to initiate a payment. Runs a preflight check against the user's policy (payments enabled, per-transaction limit, monthly cap). Returns ALLOW, DENY, or CONFIRM_REQUIRED. Other payment-capable skills must call signet-preflight before proceeding and signet-record after a successful payment. It is an AI Agent Skill for Claude Code / OpenClaw, with 839 downloads so far.
How do I install Signet Guardian?
Run "/install signet-guardian" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Signet Guardian free?
Yes, Signet Guardian is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Signet Guardian support?
Signet Guardian is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Signet Guardian?
It is built and maintained by rafalzacher1 (@rafalzacher1); the current version is v0.1.0.
More Skills