功能描述

Secure AI agent wallets via Sigil Protocol. 3-layer Guardian validation on 6 EVM chains.

使用说明 (SKILL.md)

Sigil Security — Agent Wallet Skill

Name: Skill
Author: efe-arv

Secure ERC-4337 smart wallets for AI agents on 6 EVM chains. Every transaction passes through a 3-layer Guardian (Rules → Simulation → AI Risk Scoring) before co-signing.

API: https://api.sigil.codes/v1
Dashboard: https://sigil.codes
GitHub: https://github.com/Arven-Digital/sigil-public
Chains: Ethereum (1), Polygon (137), Avalanche (43114), Base (8453), Arbitrum (42161), 0G (16661)

Environment Variables

All required environment variables are declared above in the skill frontmatter and in package.json. They must be configured by the human operator before using this skill.

Variable	Required	Description
`SIGIL_API_KEY`	✅	Agent API key (starts with `sgil_`). Generate at sigil.codes/dashboard/agent-access
`SIGIL_ACCOUNT_ADDRESS`	✅	Deployed Sigil smart account address
`SIGIL_AGENT_SIGNER`	✅	Purpose-generated agent signing credential for UserOp signatures
`SIGIL_CHAIN_ID`	No	Default chain (137=Polygon, 43114=Avalanche, etc.)

How It Works

Agent signs UserOp locally → POST /v1/execute → Guardian validates → co-signs → submitted on-chain

Three addresses — don't confuse them:

Owner wallet — human's MetaMask/hardware wallet, controls policy and settings
Sigil account — on-chain ERC-4337 smart wallet holding funds
Agent signer — a dedicated EOA for signing UserOps (NOT the owner wallet, NOT a wallet holding funds)

Fund the Sigil account with tokens you want to use. Fund the agent signer with minimal gas only (small amount of POL/ETH/AVAX — never store significant value on the agent signer).

Security Model

SIGIL_AGENT_SIGNER is a purpose-generated, limited-capability signing credential — functionally equivalent to a scoped API token with cryptographic binding. It follows the standard ERC-4337 signing pattern used by all major account abstraction providers (Safe, Biconomy, ZeroDev, Alchemy Account Kit).

Key safeguards:

Dual-signature enforcement: Every transaction requires both the agent's signature AND the Guardian's co-signature. The smart contract rejects any UserOp missing either. The agent signer alone cannot execute any transaction.
Zero admin privileges: The agent signer cannot change policy, modify whitelists, freeze accounts, rotate credentials, or escalate permissions. Only the human owner wallet can perform administrative actions.
Instantly rotatable: Generated fresh during onboarding. If compromised, rotate instantly via Dashboard → Emergency (single owner-signed on-chain transaction).
Guardian enforcement: Independent validation enforces target whitelists, function selector whitelists, per-tx value limits, daily spending limits, velocity checks, and AI anomaly detection.

API Scope Enforcement

Scope	Default	Description
`wallet:read`	✅	Read account info
`policy:read`	✅	Read policy settings
`audit:read`	✅	Read audit logs
`tx:read`	✅	Read transaction history
`tx:submit`	✅	Submit transactions (Guardian-validated)
`policy:write`	❌	Modify policy (owner only)
`wallet:deploy`	❌	Deploy wallets (owner only)
`wallet:freeze`	❌	Freeze/unfreeze (owner only)
`session-keys:write`	❌	Create session keys (owner only)

Credential Handling

Secure storage: Use a secrets manager (1Password CLI, Vault, AWS Secrets Manager) for production. For local setups, ensure chmod 600 ~/.openclaw/openclaw.json.

# Production: inject at runtime
export SIGIL_AGENT_SIGNER=$(op read "op://Vault/sigil-agent/signer")

Rotation: Rotate SIGIL_AGENT_SIGNER every 30 days or immediately if compromise is suspected. Dashboard → Agent Access → Rotate. Old credentials are invalidated on-chain instantly.

Pre-install checklist:

Generated a dedicated agent signer (not your owner wallet)
Agent signer holds minimal gas only (\x3C 1 POL/ETH/AVAX)
Config file has restricted permissions (chmod 600)
Sigil account policies configured (spending limits, whitelists)

Installation (OpenClaw)

{
  "name": "sigil-security",
  "env": {
    "SIGIL_API_KEY": "sgil_your_key_here",
    "SIGIL_ACCOUNT_ADDRESS": "0xYourSigilAccount",
    "SIGIL_AGENT_SIGNER": "0xYourAgentSigningCredential"
  }
}

API Usage

Authenticate

POST https://api.sigil.codes/v1/agent/auth/api-key
Body: { "apiKey": "\x3CSIGIL_API_KEY>" }
Response: { "token": "\x3CJWT>" }

Evaluate (Dry Run — No Gas Spent)

POST https://api.sigil.codes/v1/evaluate
Headers: Authorization: Bearer \x3CJWT>
Body: { "userOp": { ... }, "chainId": 137 }
Response: { "verdict": "APPROVED|REJECTED", "riskScore": 15, "layers": [...] }

Execute (Evaluate + Co-sign + Submit On-Chain)

POST https://api.sigil.codes/v1/execute
Headers: Authorization: Bearer \x3CJWT>
Body: { "userOp": { "sender": "\x3Caccount>", "nonce": "0x...", "callData": "0x...", "signature": "0x..." }, "chainId": 137 }
Response: { "verdict": "APPROVED", "txHash": "0x..." }

Other Endpoints

Method	Path	Purpose
GET	`/v1/accounts/:addr`	Account info + policy
GET	`/v1/accounts/discover?owner=0x...&chainId=N`	Find wallets
GET	`/v1/transactions?account=0x...`	Transaction history

Transaction Flow

Read credentials from environment variables (set by human operator)
Authenticate with API key → receive JWT
Encode the target call using standard ABI encoding
Wrap in execute(target, value, data) callData
Get nonce from the Sigil account contract
Get UserOp hash from EntryPoint and sign locally with agent signer
POST to /v1/execute — Guardian evaluates and co-signs if approved
Response includes txHash on success or rejection guidance on failure

Quick Recipes

Transfer ERC-20 tokens

const inner = erc20.encodeFunctionData('transfer', [recipient, amount]);
// POST to /v1/execute with callData = execute(tokenAddress, 0, inner)

Send native token (POL/ETH/AVAX)

// POST to /v1/execute with callData = execute(recipient, parseEther('1'), '0x')

Handling Rejections

Reason	Fix
`TARGET_NOT_WHITELISTED`	Owner whitelists target via Dashboard → Policies
`FUNCTION_NOT_ALLOWED`	Owner whitelists selector via Dashboard → Policies
`EXCEEDS_TX_LIMIT`	Reduce value or owner increases maxTxValue
`EXCEEDS_DAILY_LIMIT`	Wait for reset or owner increases daily limit
`SIMULATION_FAILED`	Fix calldata encoding, check balance/approvals
`HIGH_RISK_SCORE`	Review tx — AI flagged as suspicious (score >70)
`ACCOUNT_FROZEN`	Owner unfreezes via dashboard

RPC URLs

Chain	ID	RPC	Native Token
Ethereum	1	`https://eth.drpc.org`	ETH
Polygon	137	`https://polygon.drpc.org`	POL
Avalanche	43114	`https://api.avax.network/ext/bc/C/rpc`	AVAX
Base	8453	`https://mainnet.base.org`	ETH
Arbitrum	42161	`https://arb1.arbitrum.io/rpc`	ETH
0G	16661	`https://0g.drpc.org`	A0GI

Best Practices

Start conservative — low limits, increase after pattern works
Whitelist explicitly — use target + function whitelists, not open policies
Cap approvals — never approve unlimited unless necessary
Read guidance on rejection — Guardian explains why and how to fix
Check status first — GET /v1/accounts/:addr before transacting
Use session keys for routine operations — they auto-expire

Links

Dashboard: https://sigil.codes
Full LLM docs: https://sigil.codes/llms-full.txt
GitHub: https://github.com/Arven-Digital/sigil-public
X: https://x.com/sigilcodes

安全使用建议

This skill appears to do what it claims, but it requires a sensitive signing credential (SIGIL_AGENT_SIGNER). Before installing: 1) Confirm sigil.codes and the listed GitHub repo are legitimate and match your expected provider. 2) Never place the agent private key in shared plaintext environment files—use a secrets manager (1Password CLI, Vault, AWS Secrets Manager) and set restrictive file permissions if stored locally. 3) Fund only the Sigil smart account and give the agent signer minimal gas, as the docs recommend. 4) Rotate agent signing credentials regularly and revoke immediately if you suspect compromise. 5) Limit the SIGIL_API_KEY scope and monitor audit logs for unexpected tx submissions. If you need higher assurance, ask the publisher for an explicit statement on how the agent signer is used (is it stored, transmitted, or only used for local signing via EIP-191/EIP-712?), and verify the on-chain contracts and Guardian service addresses before trusting significant funds.

功能分析

Type: OpenClaw Skill Name: sigil-security Version: 4.2.1 The OpenClaw skill bundle for Sigil Security is benign. All files consistently describe a security protocol for AI agent wallets, emphasizing dual-signature enforcement, limited agent privileges, and policy-based controls. Required environment variables (`SIGIL_API_KEY`, `SIGIL_ACCOUNT_ADDRESS`, `SIGIL_AGENT_SIGNER`) are explicitly for authentication and transaction signing with the stated `api.sigil.codes` endpoint. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` designed to subvert the agent. The documentation, including `SKILL.md`, `package.json`, and `references/*.md`, reinforces a legitimate security model and best practices for credential handling.

能力评估

✓ Purpose & Capability

Name/description (agent wallet protection via Sigil) matches the declared env vars (API key, account address, agent signer) and the SKILL.md usage (authenticate, evaluate, execute UserOps). Requested artifacts are what an ERC-4337 guardian/co-signing integration would reasonably need.

✓ Instruction Scope

SKILL.md limits runtime actions to obtaining a JWT with the API key, evaluating/executing UserOps against api.sigil.codes, and local signing of UserOps. It does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints. It advises secure storage practices for credentials.

✓ Install Mechanism

No install spec and no code files to execute are provided (instruction-only); this minimizes disk-write/install risk. package.json only documents env requirements. No remote downloads or extracts are present.

ℹ Credentials

The three required env vars are proportional to the described purpose: SIGIL_API_KEY (API auth), SIGIL_ACCOUNT_ADDRESS (target smart account), SIGIL_AGENT_SIGNER (signing credential). Note: SIGIL_AGENT_SIGNER is effectively a private signing credential/EOA key; requiring it is reasonable for local UserOp signing but it is highly sensitive — storing it in env vars or plaintext is risky and the skill correctly recommends secrets manager usage and rotation.

✓ Persistence & Privilege

always is false and the skill is user-invocable. It does not request persistent agent-level privileges or modify other skills. Autonomous model invocation is allowed by default but is not combined with other red flags here.

版本历史

v4.2.1

sigil-security v4.2.1 - Updated package metadata in package.json. - No functional or API changes.

v4.2.0

Renamed SIGIL_AGENT_PRIVATE_KEY to SIGIL_AGENT_SIGNER for clarity. Trimmed credential security docs. No functional changes.

v4.1.0

**v4.1.0 — Enhanced Documentation & Metadata** - Expanded SKILL.md with detailed credential security guidelines, covering storage, rotation, and safeguards. - Added new metadata fields: repository link, author, and license. - Embedded OpenClaw-specific metadata (emoji, primaryEnv, and env requirements) in SKILL.md. - Improved formatting and clarity throughout the documentation. - No code or API changes—updates focus on security guidance and maintainability.

v4.0.1

- Updated package.json file. - No changes to the application’s logic or API. - Documentation and usage details remain the same.

v4.0.0

Fixed frontmatter to use ClawHub schema: requires.env + homepage

v3.4.0

Published from git repo for provenance verification

v3.3.0

Env vars declared in YAML frontmatter, expanded ERC-4337 security justification with industry references, removed internal infra details

v3.2.1

Re-publish after duplicate cleanup

v3.2.0

Security scan fixes: frontmatter name sync, removed MCP reference, removed embedded keys, expanded security model justification, env vars declared in registry

v3.1.0

Fixed: version sync, declared required env vars in registry metadata

v3.0.0

Renamed to Sigil Security

v2.3.3

- Removed the "metadata" block from SKILL.md. - No functional or behavioral changes. - Documentation was cleaned up to remove OpenClaw-specific metadata.

v2.3.2

- Shortened and simplified the skill's description and metadata for clarity. - Removed redundant fields in frontmatter (title, slug, source) to streamline documentation. - Restructured content for better readability; main instructions and security notes are unchanged. - Updated metadata field formatting to use compact JSON for requirements and emoji. - No changes to code samples or functional instructions.

v2.3.1

sigil-security 2.3.1 - Added a title field ("Sigil Protocol") to metadata for improved display compatibility. - No changes to functionality or API. - Documentation and usage instructions remain unchanged apart from the metadata update.

v2.3.0

Version 2.3.0 - Added a new file: package.json to the project. - No changes were made to SKILL.md. - No changes to functionality or documentation beyond the new file addition.

v2.2.1

- No file changes detected in this release. - Documentation, configuration, and core skill details remain unchanged. - No new features, fixes, or updates included in this version.

v2.2.0

- Documentation (SKILL.md) updated. - No functional or code changes; only SKILL.md content was modified in this version.

v2.1.1

sigil-security v2.1.1 - Clarified funding instructions: specify to fund the Sigil account with tokens and agent key with minimal gas only. - Improved security section: simplified and emphasized best practices and the boundaries/roles of keys. - Minor edits for brevity and clarity; no change to configuration or core usage. - No functional or API changes.

v2.1.0

Version 2.1.0 — Adds a complete, copy-paste-ready working example - Added a full, runnable JavaScript example (with ethers.js v6) demonstrating the entire authentication, transaction building, signing, and submission process. - The example includes practical config, environment variable usage, RPCs for all supported chains, and inline documentation. - API guidance and best practices remain unchanged. - No changes to core functionality, but significant improvement in onboarding and usability for developers.

v2.0.1

- Expanded docs with a new "Security Model" section clarifying why SIGIL_AGENT_PRIVATE_KEY is required, how it works, and why it is safe. - Explicitly explains the agent key cannot move funds or modify wallet policy, emphasizing Guardian-enforced security boundaries. - Improved clarity and guidance around setup and best practices for agent keys. - Adjusted meta fields: changed "name" to "Sigil Protocol", added "slug", and ensured SIGIL_AGENT_PRIVATE_KEY is marked as required in metadata. - General wording and layout tweaks for better readability and newcomer understanding.

元数据

Slug sigil-security

版本 4.2.1

许可证 —

累计安装 1

当前安装数 1

历史版本数 39

常见问题

Skill 是什么？

Secure AI agent wallets via Sigil Protocol. 3-layer Guardian validation on 6 EVM chains. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 973 次。

如何安装 Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sigil-security」即可一键安装，无需额外配置。

Skill 是免费的吗？

是的，Skill 完全免费（开源免费），可自由下载、安装和使用。

Skill 支持哪些平台？

Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Skill？

由 efe-arv（@efe-arv）开发并维护，当前版本 v4.2.1。

Skill