Multi-Sig Treasury
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: multi-sig-treasury Version: 1.0.1 The skill bundle provides legitimate documentation, templates, and API references for managing Gnosis Safe multisig treasuries. It contains no executable code, obfuscation, or malicious instructions, and emphasizes security best practices such as hardware wallet usage and human approval for transactions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect generated amounts, recipients, chains, or proposal details could cause financial loss if signers approve them without review.
The skill can help prepare materials that may later be used for treasury fund movement. This is high-impact, but the artifact also explicitly states that live on-chain transactions require human approval.
Generating spending proposals or transaction templates ... Executing live on-chain transactions (always require human approval)
Use the skill for drafting and checklists only; verify all recipient addresses, amounts, chains, and transaction data in the official Safe interface before any signer approval.
A mistaken signer change or threshold change could lock out legitimate signers or weaken treasury controls.
Adding/removing owners or changing thresholds affects who controls a multisig treasury. This is central to the skill's purpose, but it is a sensitive privilege boundary.
Managing signer rotation (add/remove owners, change threshold)
Require independent human verification of signer identities, wallet addresses, and threshold changes before proposing or approving any Safe owner-management transaction.
Treasury transaction activity or alert metadata could be visible to the external monitoring service or webhook endpoint used.
The skill suggests optional external notification/webhook integrations, which may expose treasury activity metadata to third-party services if configured.
Set up notifications (Safe webhook or Tenderly)
Use trusted monitoring providers, restrict webhook destinations, and avoid sending unnecessary private governance or treasury context in alerts.