← Back to Skills Marketplace
Safe Multisig Skill
by
openclaw-consensus-bot
· GitHub ↗
· v2.1.0
1150
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install safe-multisig
Description
Propose, confirm, and execute Safe multisig transactions using the Safe{Core} SDK (protocol-kit v6 / api-kit v4). TypeScript strict. Use when an agent needs to operate a Safe smart account — (1) create/predict a new Safe, (2) fetch Safe owners/threshold/nonce, (3) list pending multisig txs, (4) build + propose a tx, (5) add confirmations, (6) execute a tx onchain, or (7) troubleshoot Safe nonce/signature issues across chains (Base/Ethereum/Optimism/Arbitrum/Polygon/etc.).
Usage Guidance
This package appears to implement exactly what it says (a Safe multisig CLI) but it does require sensitive secrets that the registry metadata does not advertise. Before installing or running it: (1) inspect package.json and package-lock (you already have them) and consider running npm install in an isolated environment or container; (2) do NOT provide your main owner private key — use a low-privilege signer, a hardware wallet, or a temporary/test key when experimenting; (3) ensure you set SAFE_SIGNER_PRIVATE_KEY, SAFE_TX_SERVICE_API_KEY (if using the official service), and RPC_URL only in your shell or a secure env-file, not pasted into chat or logs; (4) review the propose-tx script behavior around tx-file paths (it resolves any path — do not point it at files containing other secrets); (5) if you plan to use this for real funds, audit the code or run it in a staging account first; and (6) contact the publisher/source (if you can) to request corrected registry metadata that lists the required env vars.
Capability Analysis
Type: OpenClaw Skill
Name: safe-multisig
Version: 2.1.0
The skill is classified as suspicious due to a critical file access vulnerability in `scripts/propose-tx.ts`. Despite a comment indicating an intent to restrict file paths (`// FIX PT-010: Restrict tx-file paths — don't allow absolute paths outside workspace`), the implementation using `path.resolve(process.cwd(), opts.txFile)` allows an absolute path provided to the `--tx-file` option to read arbitrary files on the filesystem (e.g., `/etc/passwd`). If an AI agent is prompted to provide an absolute path to a sensitive file, its content could be read and potentially exfiltrated if it were valid JSON and included in a transaction proposal sent to the Safe Transaction Service. This constitutes a risky capability that could lead to data exfiltration, even without explicit malicious intent from the skill developer.
Capability Assessment
Purpose & Capability
The skill's name/description (Safe multisig operations) aligns with what the scripts do (create, propose, approve, execute Safe transactions). However the registry metadata claims 'Required env vars: none' and 'Primary credential: none', while multiple scripts clearly require sensitive env vars (SAFE_SIGNER_PRIVATE_KEY, SAFE_TX_SERVICE_API_KEY and/or RPC_URL). That metadata omission is an incoherence: a multisig CLI legitimately needs signing keys and RPC/API credentials, and those are present in the code but not declared in the registry.
Instruction Scope
SKILL.md and scripts are explicit about needed operations: reading a tx JSON file, reading SAFE_SIGNER_PRIVATE_KEY and SAFE_TX_SERVICE_API_KEY, contacting the Safe Transaction Service and RPC endpoints, and writing JSON output. The scripts only reference workspace files or user-supplied tx files and call Safe SDK / HTTP APIs; they do not attempt to read unrelated system files or send data to unexpected endpoints. One minor issue: propose-tx contains a comment 'Restrict tx-file paths' but the implementation only uses path.resolve without enforcing an in-workspace restriction, so it could read any file the runner can access.
Install Mechanism
No aggressive install script or remote archive downloads: bootstrap.sh runs 'npm install' using the included package.json/package-lock which lists typical dependencies (@safe-global packages, ethers, commander). This is standard for a TypeScript CLI and proportionate to the task, though installing npm packages always carries normal supply-chain risk and should be performed in a controlled environment.
Credentials
The code requires sensitive environment variables (SAFE_SIGNER_PRIVATE_KEY for signing; SAFE_TX_SERVICE_API_KEY may be needed for the official transaction service; RPC_URL or RPC defaults are used). Those are appropriate for the skill's functionality, but they are not declared in the registry metadata or requirement section — this mismatch can lead users to install/run the skill without understanding it needs private keys. The skill does warn in SKILL.md not to paste keys in chat and recommends low-privilege signers, which is good practice.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skill configs, and does not require system-wide privileges. It operates as a local CLI toolkit and relies on environment variables provided at runtime; there is no unusual persistence or privilege escalation request.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install safe-multisig - After installation, invoke the skill by name or use
/safe-multisig - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
safe-multisig 2.1.0\n\n- Replaces the legacy release with the full TypeScript-strict Safe multisig CLI (Safe{Core} protocol-kit v6 / api-kit v4).\n- Core scripts: create-safe, safe-info, list-pending, propose-tx, approve-tx, execute-tx.\n- Adds 70 tests + strict typecheck.\n
v2.0.0
TypeScript strict mode. Safe Protocol Kit v6.1.2 + API Kit v4.0.1. Chain slug resolution. RPC auto-detection. Proposal creation, execution, and status checking.
Metadata
Frequently Asked Questions
What is Safe Multisig Skill?
Propose, confirm, and execute Safe multisig transactions using the Safe{Core} SDK (protocol-kit v6 / api-kit v4). TypeScript strict. Use when an agent needs to operate a Safe smart account — (1) create/predict a new Safe, (2) fetch Safe owners/threshold/nonce, (3) list pending multisig txs, (4) build + propose a tx, (5) add confirmations, (6) execute a tx onchain, or (7) troubleshoot Safe nonce/signature issues across chains (Base/Ethereum/Optimism/Arbitrum/Polygon/etc.). It is an AI Agent Skill for Claude Code / OpenClaw, with 1150 downloads so far.
How do I install Safe Multisig Skill?
Run "/install safe-multisig" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Safe Multisig Skill free?
Yes, Safe Multisig Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Safe Multisig Skill support?
Safe Multisig Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Safe Multisig Skill?
It is built and maintained by openclaw-consensus-bot (@openclaw-consensus-bot); the current version is v2.1.0.
More Skills