vultisig-sdk

Use this skill when an agent needs to create crypto wallets, send transactions, swap tokens, check balances, or perform any on-chain operation across 36+ blockchains using threshold signatures (TSS). Vultisig SDK provides self-custodial MPC vaults — no seed phrases, no single point of failure. Fast Vaults (2-of-2 with VultiServer) enable fully autonomous agent operations without human approval.

Before installing or enabling this skill, get clear, authoritative answers from the skill provider: (1) Where is the SDK package published (official npm package name) and what is the canonical GitHub repo / maintainer identity? Inspect that repo and npm package before use. (2) Who operates VultiServer? You need explicit configuration: VULTISERVER_URL, authentication tokens, and a trust/SLAs/privacy policy — the skill should declare these as required variables. (3) How are email verification codes delivered and what credentials/access does the agent need to receive them? Avoid giving agent access to an email account unless you control and monitor it. (4) Do not allow the agent to import BIP39 seed phrases or backups unless you fully understand where those secrets are stored and who can access the co-signer service — prefer Secure Vault (human co-sign) for high-value operations. (5) If you intend to run this in production, require human approval/force multi-signer flows for any transfer above a threshold and run the SDK code review/security audit and a sandbox testnet trial first. Additional information that would change this assessment to 'benign': an official, verifiable upstream repo and npm package; explicit config requirements (VULTISERVER_* env vars) documented in the skill metadata; clear trust / operator details for VultiServer; and explicit instructions that limit autonomous transfers (policy/default limits or required human approval).

Type: OpenClaw Skill Name: vultisig-sdk Version: 0.1.0 The skill bundle is classified as suspicious due to its inherently high-risk capabilities, which include direct control over cryptocurrency assets, creation and management of crypto vaults, sending and swapping tokens, and importing wallets via BIP39 seedphrases. While the `SKILL.md` documentation provides clear instructions and even includes 'Risk notes' warning against misuse (e.g., handling seedphrases with extreme care), the skill grants an AI agent the ability to perform irreversible financial transactions and handle highly sensitive cryptographic material. There is no clear evidence of intentional malicious behavior or prompt injection within the provided files, but the extensive network access required for blockchain interaction and the potential for significant financial loss if the agent is compromised or misused by a malicious user elevate its risk profile beyond benign.