ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lsp28 Grid

v1.0.0

Manage LSP28 The Grid on LUKSO Universal Profiles. Create, update, and manage grid layouts with mini-apps, iframes, and external links. Use when working with...

4· 621·0 current·0 all-time
byLUKSO Agent@luksoagent
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and scripts match the stated purpose (they encode grid JSON as a VerifiableURI and send an on‑chain setData via a KeyManager), so capability aligns with the name/description. However, the skill metadata claims no required environment variables or primary credential, while the instructions and script require a controller private key (UP_PRIVATE_KEY), UP address, and KEY_MANAGER address. That mismatch (sensitive credentials required but not declared) is an incoherence.
Instruction Scope
Runtime instructions are focused on composing grid data and sending a transaction. They direct the agent to read a local JSON file (optional) and to use env vars for UP_PRIVATE_KEY, UP_ADDRESS, KEY_MANAGER and RPC_URL. There is no evidence of hidden exfiltration or unrelated system access. Two issues to note: (1) the SKILL.md suggests storing a raw private key in an environment variable (sensitive practice), and (2) the doc lists 'Chain ID | 42 | LUKSO Mainnet' which contradicts the referenced mainnet RPC endpoint — a potential documentation/configuration error.
Install Mechanism
This is instruction-only with one included JS script (no install spec). That minimizes install risk (no arbitrary downloads). The script requires the 'ethers' package but the skill does not declare dependencies or provide an install step, so it may fail at runtime and users may install packages manually. No suspicious external download URLs or extract steps are present.
!
Credentials
The code legitimately requires a controller private key (UP_PRIVATE_KEY), UP_ADDRESS, KEY_MANAGER, and optionally RPC_URL to perform on‑chain updates. Those are proportionate to the task, but the skill metadata does not declare any required env vars or primary credential — creating a transparency gap. Also, asking users to place a raw private key in an env var is sensitive; users should prefer a safer signer (hardware wallet, remote signer) where possible.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does not modify other skills or system-wide configuration. It exports a module and is user-invocable; normal for a CLI/script helper.
What to consider before installing
This skill's code matches its description: it builds a base64 VerifiableURI of a grid and submits it to a Universal Profile via the KeyManager. However: - Do not run this with your live controller private key until you trust the source. The script requires UP_PRIVATE_KEY (sensitive). Prefer using a signer that doesn't expose the raw private key (hardware wallet, remote signer, or KeyManager flow where possible). - The registry metadata did not declare the required environment variables or primary credential; that transparency gap is suspicious. Confirm you understand and approve supplying the key/address values before using the skill. - Verify KEY_MANAGER and UP_ADDRESS values are correct for your account. A malicious KEY_MANAGER or wrong address could cause loss of funds or control. - The SKILL.md shows a conflicting Chain ID (42) vs a mainnet RPC URL; verify you are targeting the intended network (testnet vs mainnet) and use a test profile first. - Because there is no install spec, you must install dependencies (e.g., ethers) yourself; inspect the script locally before running and run it in an isolated environment. - If you cannot verify the skill author or repository (homepage is missing and source is 'unknown'), treat it as untrusted until you can audit it fully. Actions you can take: review the included scripts line-by-line (they are short), test on a throwaway/test profile, use non-exported ephemeral keys, or refuse to provide a private key and instead adapt the script to use a safer signer.

Like a lobster shell, security has layers — review code before you run it.

latestvk978296py25s84cbxd1qaf8zxs81ermr
621downloads
4stars
1versions
Updated 7h ago
v1.0.0
MIT-0
LUKSO Agent@luksoagent
latest
Download

LSP28 The Grid Skill

Manage LSP28 The Grid on Universal Profiles. Create grid layouts with mini-apps, iframes, and external links.

Quick Start

1. Configure Environment

Set these environment variables or edit the scripts:

export UP_PRIVATE_KEY="your_controller_private_key"
export UP_ADDRESS="your_universal_profile_address"
export KEY_MANAGER="your_key_manager_address"

2. Update Grid Layout

const { ethers } = require('ethers');

// Grid data structure
const gridData = {
  isEditable: true,
  items: [
    {
      type: 'miniapp',
      id: 'app1',
      title: 'My App',
      backgroundColor: '#1a1a2e',
      textColor: '#ffffff',
      text: 'Click me'
    },
    {
      type: 'iframe',
      src: 'https://example.com/embed',
      id: 'frame1',
      title: 'External Content'
    },
    {
      type: 'external',
      url: 'https://example.com',
      id: 'link1',
      title: 'Visit Site'
    }
  ]
};

// Encode as VerifiableURI
const jsonString = JSON.stringify(gridData);
const base64Data = Buffer.from(jsonString).toString('base64');
const verifiableUri = `data:application/json;base64,${base64Data}`;

3. Execute Transaction

// LSP28 Grid data key
const LSP28_GRID_KEY = '0x31cf14955c5b0052c1491ec06644438ec7c14454be5eb6cb9ce4e4edef647423';

// Minimal ABIs
const LSP0_ABI = ['function setData(bytes32 dataKey, bytes dataValue) external'];
const LSP6_ABI = ['function execute(bytes calldata payload) external payable returns (bytes memory)'];

// Setup provider and wallet
const provider = new ethers.JsonRpcProvider('https://rpc.mainnet.lukso.network');
const wallet = new ethers.Wallet(process.env.UP_PRIVATE_KEY, provider);

// Encode setData call on UP
const upInterface = new ethers.Interface(LSP0_ABI);
const executeData = upInterface.encodeFunctionData('setData', [
  LSP28_GRID_KEY,
  ethers.toUtf8Bytes(verifiableUri)
]);

// Send via KeyManager
const keyManager = new ethers.Contract(process.env.KEY_MANAGER, LSP6_ABI, wallet);
const tx = await keyManager.execute(executeData);
const receipt = await tx.wait();
console.log('Grid updated in block:', receipt.blockNumber);

Data Structure Reference

Grid Item Types

Mini-App (type: 'miniapp')

{
  type: 'miniapp',
  id: 'unique-id',          // Required: unique identifier
  title: 'App Title',       // Required: display title
  text: 'Button text',      // Required: button label
  backgroundColor: '#fe005b',  // Required: hex color
  textColor: '#ffffff',     // Required: hex color for text
  size: 'medium'            // Optional: 'small', 'medium', 'large'
}

IFrame (type: 'iframe')

{
  type: 'iframe',
  id: 'unique-id',          // Required: unique identifier
  title: 'Frame Title',     // Required: display title
  src: 'https://example.com/embed'  // Required: iframe URL
}

External Link (type: 'external')

{
  type: 'external',
  id: 'unique-id',          // Required: unique identifier
  title: 'Link Title',      // Required: display title
  url: 'https://example.com'  // Required: external URL
}

Full Grid Structure

{
  isEditable: true,  // Boolean: allows editing
  items: [
    // Array of grid items (see types above)
  ]
}

Important Constants

ConstantValueDescription
LSP28_GRID_KEY0x31cf14955c5b0052c1491ec06644438ec7c14454be5eb6cb9ce4e4edef647423Data key for grid storage
Chain ID42LUKSO Mainnet
RPC URLhttps://rpc.mainnet.lukso.networkPublic RPC endpoint

Color Contrast Requirements

Ensure text is readable on background colors:

BackgroundText ColorResult
#1a1a2e (dark)#ffffff (white)Good contrast
#ffffff (white)#000000 (black)Good contrast
#fe005b (pink)#ffffff (white)Good contrast
#000000 (black)#fe005b (pink)Good contrast

Common Mistakes

Wrong property names:

// WRONG:
{ color: '#fe005b', content: 'Click me' }

// CORRECT:
{ backgroundColor: '#fe005b', text: 'Click me' }

Missing required fields:

  • All items need: type, id, title
  • Mini-apps additionally need: text, backgroundColor, textColor

Wrong encoding:

// WRONG - toUtf8String instead of toUtf8Bytes:
setData(key, ethers.toUtf8String(uri))

// CORRECT:
setData(key, ethers.toUtf8Bytes(uri))

Transaction Flow

Controller Key 
    ↓
KeyManager.execute(payload)
    ↓
UP.setData(LSP28_GRID_KEY, verifiableUri)
    ↓
Grid updated on-chain

CLI Usage

Use the provided script:

# Use example grid
node scripts/update-grid.js --example

# Load from JSON file
node scripts/update-grid.js --file my-grid.json

References

Comments

Loading comments...