Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Safe Multisig Skill
v2.1.0Propose, confirm, and execute Safe multisig transactions using the Safe{Core} SDK (protocol-kit v6 / api-kit v4). TypeScript strict. Use when an agent needs to operate a Safe smart account — (1) create/predict a new Safe, (2) fetch Safe owners/threshold/nonce, (3) list pending multisig txs, (4) build + propose a tx, (5) add confirmations, (6) execute a tx onchain, or (7) troubleshoot Safe nonce/signature issues across chains (Base/Ethereum/Optimism/Arbitrum/Polygon/etc.).
⭐ 0· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Safe multisig operations) aligns with what the scripts do (create, propose, approve, execute Safe transactions). However the registry metadata claims 'Required env vars: none' and 'Primary credential: none', while multiple scripts clearly require sensitive env vars (SAFE_SIGNER_PRIVATE_KEY, SAFE_TX_SERVICE_API_KEY and/or RPC_URL). That metadata omission is an incoherence: a multisig CLI legitimately needs signing keys and RPC/API credentials, and those are present in the code but not declared in the registry.
Instruction Scope
SKILL.md and scripts are explicit about needed operations: reading a tx JSON file, reading SAFE_SIGNER_PRIVATE_KEY and SAFE_TX_SERVICE_API_KEY, contacting the Safe Transaction Service and RPC endpoints, and writing JSON output. The scripts only reference workspace files or user-supplied tx files and call Safe SDK / HTTP APIs; they do not attempt to read unrelated system files or send data to unexpected endpoints. One minor issue: propose-tx contains a comment 'Restrict tx-file paths' but the implementation only uses path.resolve without enforcing an in-workspace restriction, so it could read any file the runner can access.
Install Mechanism
No aggressive install script or remote archive downloads: bootstrap.sh runs 'npm install' using the included package.json/package-lock which lists typical dependencies (@safe-global packages, ethers, commander). This is standard for a TypeScript CLI and proportionate to the task, though installing npm packages always carries normal supply-chain risk and should be performed in a controlled environment.
Credentials
The code requires sensitive environment variables (SAFE_SIGNER_PRIVATE_KEY for signing; SAFE_TX_SERVICE_API_KEY may be needed for the official transaction service; RPC_URL or RPC defaults are used). Those are appropriate for the skill's functionality, but they are not declared in the registry metadata or requirement section — this mismatch can lead users to install/run the skill without understanding it needs private keys. The skill does warn in SKILL.md not to paste keys in chat and recommends low-privilege signers, which is good practice.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skill configs, and does not require system-wide privileges. It operates as a local CLI toolkit and relies on environment variables provided at runtime; there is no unusual persistence or privilege escalation request.
What to consider before installing
This package appears to implement exactly what it says (a Safe multisig CLI) but it does require sensitive secrets that the registry metadata does not advertise. Before installing or running it: (1) inspect package.json and package-lock (you already have them) and consider running npm install in an isolated environment or container; (2) do NOT provide your main owner private key — use a low-privilege signer, a hardware wallet, or a temporary/test key when experimenting; (3) ensure you set SAFE_SIGNER_PRIVATE_KEY, SAFE_TX_SERVICE_API_KEY (if using the official service), and RPC_URL only in your shell or a secure env-file, not pasted into chat or logs; (4) review the propose-tx script behavior around tx-file paths (it resolves any path — do not point it at files containing other secrets); (5) if you plan to use this for real funds, audit the code or run it in a staging account first; and (6) contact the publisher/source (if you can) to request corrected registry metadata that lists the required env vars.Like a lobster shell, security has layers — review code before you run it.
latestvk97aqeg8nxmmvne812yvt2k5xs80v4wp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.