crypto-treasury-ops
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: crypto-treasury-ops Version: 0.1.7 The crypto-treasury-ops skill is a well-structured and production-oriented tool for managing blockchain treasury operations across EVM chains and Solana. It implements a robust safety architecture through a dedicated RiskService (src/services/riskService.ts) that enforces destination allowlists, daily transaction limits, and mandatory approval thresholds for large amounts. The code uses standard, reputable libraries such as viem, @solana/web3.js, and official SDKs for Hyperliquid and Mayan Finance. Private keys are handled securely via environment variables and are never exposed in tool outputs or sent to unauthorized endpoints. The instructions in SKILL.md explicitly guide the AI agent toward safe execution patterns, such as using dry-runs and quoting operations before execution, and emphasize that safety checks cannot be bypassed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, an agent can use the treasury private keys to sign transactions that move crypto assets or place trades; mistakes or misuse can cause irreversible loss.
The skill requires raw EVM and Solana signing keys for execution, but the registry metadata says there are no required env vars and no primary credential.
Required variables: TREASURY_PRIVATE_KEY=0x... SOLANA_TREASURY_PRIVATE_KEY=... ZEROX_API_KEY=...; Do not pass private keys in tool input JSON; this skill reads them from the environment only
Use only a dedicated limited hot wallet or delegated signer, set strict allowlists and low limits, and update the credential metadata so users see the required authority before install.
A bad quote, wrong route, or over-permissive approval could result in funds being sent or approved on-chain.
Bridge execution signs and broadcasts transaction data returned by an external quote provider. This is expected for bridge tooling, but it is a high-impact trust boundary.
const sourceTxHash = await this.walletService.sendTransaction(... { to: txRequest.to, data: txRequest.data, value: txRequest.value ? BigInt(txRequest.value) : 0n, ... })Always run quote_operation or dryRun immediately before execution, verify recipient/route/provider details, and require real human confirmation for any state-changing call.
A future dependency update pulled during npm install could change wallet, signing, or transaction behavior without being reflected in the reviewed artifacts.
The npm dependencies are version ranges, and the provided manifest does not include a lockfile. For a private-key signing skill, dependency drift is a material supply-chain concern.
"@mayanfinance/swap-sdk": "^13.2.0", "@nktkas/hyperliquid": "^0.32.1", "@solana/web3.js": "^1.98.4", "viem": "^2.23.5"
Pin dependencies, ship a lockfile, audit dependency updates, and install only from a verified source before providing wallet credentials.
External APIs may learn wallet addresses, intended routes, and transaction sizes.
The bridge provider receives wallet addresses, token amounts, and route data. This is purpose-aligned, but it shares treasury activity metadata with external providers.
endpoint.searchParams.set("fromAddress", request.fromAddress); endpoint.searchParams.set("toAddress", request.toAddress); endpoint.searchParams.set("fromAmount", request.amount.toString()); const response = await fetch(endpoint, ...)Use trusted provider endpoints, review privacy implications, and consider custom RPC/provider configuration for sensitive treasury operations.
Local logs may reveal wallet activity, addresses, amounts, or operational patterns to anyone with filesystem access.
The skill persists an action log locally. There is no evidence it logs private keys or exfiltrates data, but treasury action history can still be sensitive.
JSONL audit logging for every action in `.runtime/treasury-ops.log`
Protect the runtime log path, rotate or delete logs when appropriate, and avoid storing secrets in tool inputs.