ClawHub

Safe Multisig Skill

v2.1.0

Propose, confirm, and execute Safe multisig transactions using the Safe{Core} SDK (protocol-kit v6 / api-kit v4). TypeScript strict. Use when an agent needs to operate a Safe smart account — (1) create/predict a new Safe, (2) fetch Safe owners/threshold/nonce, (3) list pending multisig txs, (4) build + propose a tx, (5) add confirmations, (6) execute a tx onchain, or (7) troubleshoot Safe nonce/signature issues across chains (Base/Ethereum/Optimism/Arbitrum/Polygon/etc.).

0· 875·2 current·2 all-time
by@openclaw-consensus-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The scripts (propose/approve/execute/create) clearly implement Safe multisig operations using the Safe SDK — this matches the description. However the registry metadata says "Required env vars: none" and "Primary credential: none", while multiple scripts require SAFE_SIGNER_PRIVATE_KEY (for signing/deploying/proposing/approving/executing) and rely on RPC_URL/--rpc-url and an optional SAFE_TX_SERVICE_API_KEY. That mismatch between declared requirements and actual runtime needs is a material incoherence.
Instruction Scope
SKILL.md and the scripts limit actions to reading tx JSON files, calling Safe Transaction Service endpoints and RPC nodes, building/signing Safe txs, and optionally sending on-chain transactions. The scripts validate inputs (addresses, tx JSON, tx hashes) and warn against pasting private keys. There are no hidden external endpoints; network activity targets Safe transaction service and configured RPC URLs only.
Install Mechanism
No arbitrary download/install URLs are used. bootstrap.sh runs npm install with a declared package.json/package-lock (official @safe-global packages, ethers, commander). This is expected for a TypeScript CLI; risk is standard npm dependency risk but nothing like an extract-from-arbitrary-URL step is present.
!
Credentials
The code requires a private key (SAFE_SIGNER_PRIVATE_KEY) for signing/deploying/executing transactions and may rely on RPC_URL and SAFE_TX_SERVICE_API_KEY; these are proportionate to a multisig CLI but they are not reflected in the skill's advertised 'required env vars' or 'primary credential' fields. Requiring an EOA private key is a high-privilege operation (it can move funds), so the omission in metadata is significant and could mislead non-technical users.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or system-wide configuration. It is user-invocable and can be invoked autonomously (platform default), which increases impact if misused, but that alone is not flagged here since there are no other signs of malicious persistence.
What to consider before installing
This skill appears to implement legitimate Safe multisig functionality, but the package metadata understates the runtime requirements. Notable points to consider before installing: - The scripts require SAFE_SIGNER_PRIVATE_KEY (env var) to sign/deploy/propose/approve/execute transactions — providing that key grants the ability to sign transactions that can move funds. Do not provide your main private key. - The skill also uses RPC endpoints (RPC_URL / --rpc-url) and interacts with the Safe Transaction Service (api.safe.global). You should verify or override those endpoints to ones you trust. - The registry entry claims no required env vars; that is incorrect. Treat the skill as requiring a signing credential and an RPC/API configuration. - If you proceed: run the code in an isolated environment, review scripts (especially propose/execute/approve/create-safe), and prefer a low-privilege or ephemeral signer (or a hardware/custodial signing flow) with spending limits. Consider running the scripts in read-only mode first (safe-info, list-pending) and only provide a signer after manual code review. - If you are not comfortable auditing the TypeScript, do not supply private keys to this skill. If you must automate, use a signing service or HSM that enforces policy rather than raw private keys in environment variables.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ev2xhqp0emwyjzzvtz0fews80vn4v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments