📦 vultisig-sdk — 链上钱包与交易
v0.1.0Vultisig SDK 让 AI 代理在 36+ 条链上自主创建钱包、签名交易、兑换代币、查余额。基于阈值签名(TSS)的无种子自托管 MPC 金库,Fast Vault 2-of-2 模式无需人工审批即可全天候运行。
2· 1.6k·0 当前·0 累计
by @realpaaao下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions match a crypto-wallet SDK workflow, but it asks agents to perform fully autonomous on-chain actions (via a remote co-signer) and to handle highly sensitive secrets without declaring or explaining required credentials/endpoints — this mismatch is concerning and needs clarification before use.
评估建议
Before installing or enabling this skill, get clear, authoritative answers from the skill provider: (1) Where is the SDK package published (official npm package name) and what is the canonical GitHub repo / maintainer identity? Inspect that repo and npm package before use. (2) Who operates VultiServer? You need explicit configuration: VULTISERVER_URL, authentication tokens, and a trust/SLAs/privacy policy — the skill should declare these as required variables. (3) How are email verification code...详细分析 ▾
⚠ 用途与能力
The skill's name/description (TSS-based multi-chain wallet operations) aligns with the SDK usage in SKILL.md (create vaults, sign, broadcast, swaps). However: (1) the Fast Vault pattern relies on a remote VultiServer co-signer and email verification but the skill declares no credentials, endpoints, or trust model for that server; (2) the SKILL.md also lists importing wallets via BIP39 seedphrases — a capability that requires handling secrets yet the top-level metadata requests no environment variables or storage configuration. These omissions make the declared purpose only partially coherent with the required operational context.
⚠ 指令范围
The runtime instructions direct the agent to create Fast Vaults (agent holds a share, VultiServer holds the other), perform prepare→sign→broadcast flows, import/export backups and even import BIP39 seed phrases. They also require email verification for Fast Vault creation and reference multiple external services for swaps (THORChain, 1inch, etc.). The instructions imply network calls and sharing signing payloads with an external co-signer (VultiServer) but do not specify endpoints, auth, or limits — giving broad discretion to the agent to interact with remote services and to handle sensitive secrets (seed phrases, vault shares, backup files).
✓ 安装机制
This is instruction-only (no install spec, no code files). That reduces installation risk. The SKILL.md points to an npm package and a GitHub repo as the SDK source; using those is a normal approach but the skill does not perform any automatic network downloads itself.
⚠ 凭证需求
The skill declares no required environment variables or primary credential, yet the workflow clearly needs: email delivery/access (for verification codes), likely a VultiServer endpoint and credentials or API keys for co-signing, and possibly API keys for some swap/price services. Asking the agent to manage/ingest seed phrases and vault backups without declaring how those secrets are stored, protected, or supplied is disproportionate and opaque.
⚠ 持久化与权限
always:false (good) and disable-model-invocation:false (normal). However the documented Fast Vault design explicitly enables fully autonomous agent operations (VultiServer auto-co-signs based on policies). Combined with the other concerns (no declared auth, handling of seed phrases), this gives the skill high real-world impact: an autonomous agent could create and move funds without human intervention if the VultiServer policy allows it. That elevated blast radius should be visible to administrators before enabling the skill.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/4
MPC crypto wallet for AI agents. Create vaults, send tokens, execute cross-chain swaps across 40+ chains.
● 可疑
安装命令
点击复制官方npx clawhub@latest install vultisig-sdk
镜像加速npx clawhub@latest install vultisig-sdk --registry https://cn.longxiaskill.com