ClawHub

Stakingverse Lukso

v1.0.0

Stake LYX tokens on Stakingverse (LUKSO liquid staking). Use when the user wants to stake LYX, unstake LYX, claim rewards, or check sLYX balance on Stakingve...

4· 558·0 current·0 all-time
byLUKSO Agent@luksoagent
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (stake/unstake/claim/check sLYX) align with the included scripts which create transactions against a Vault contract. However the registry metadata incorrectly lists no required env vars/credentials while the SKILL.md, README and scripts clearly require a controller private key and other config — this mismatch is an incoherence in metadata.
Instruction Scope
Runtime instructions and scripts stay within staking-related scope: they connect to an RPC, read on-chain data, encode contract calls via the UP/KeyManager and submit transactions to the Vault. The scripts do require a private key to sign transactions (expected for an on-chain staking client). There is no evidence of unrelated file reads, hidden external endpoints, or data exfiltration in the code.
Install Mechanism
There is no formal install spec (instruction-only), but the repo contains runnable node scripts that require ethers.js. The README instructs npm install ethers; since nothing is auto-downloaded by the skill itself, installation risk is limited to following the README. The lack of an install spec combined with included code means the user/agent must manually install dependencies before use.
!
Credentials
The scripts require a full controller private key (STAKING_PRIVATE_KEY) and an RPC URL which is necessary to submit transactions — that is proportionate to staking. The concern is inconsistent naming: SKILL.md at one point references PRIVATE_KEY while the scripts and README use STAKING_PRIVATE_KEY, and the skill registry declared no required env vars. That mismatch increases chance of user misconfiguration and accidental key exposure. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or system settings. It performs on-demand blockchain interactions only when run.
Scan Findings in Context
[pre-scan-none-detected] expected: Static pre-scan reported no findings. This is plausible because the code is unobfuscated and does not contain suspicious patterns; absence of matches does not guarantee safety — the main issues are metadata/instruction inconsistencies and the fact it asks for a private key.
What to consider before installing
This skill appears to be a straightforward LUKSO staking helper but has some red flags you should address before using it: - Do not paste your primary controller private key into environments you don't control. The scripts require a full private key (env variable STAKING_PRIVATE_KEY); that is necessary to sign UP/KeyManager transactions, but it is high-risk. Prefer a hardware wallet, a delegated account with minimal permissions, or a purpose-built staking controller key. - Confirm the Vault and sLYX contract addresses independently (official Stakingverse docs) — the repo hardcodes a vault address; ensure it matches the real contract. - The registry metadata omits required env vars and SKILL.md/README use different names (PRIVATE_KEY vs STAKING_PRIVATE_KEY); verify which env variables the runtime actually uses before running anything. - Install dependencies manually (npm install ethers) in an isolated environment and review the code locally. Test on a non-mainnet/test account or testnet if available before using real funds. - Because the skill will send on-chain transactions, understand gas and approval flows; do not run scripts on machines where the private key might be logged or backed up to external services. If you want to proceed: fix the env var naming (use STAKING_PRIVATE_KEY as the scripts expect), verify addresses, and run with a low-value or test account first. If you cannot validate the origin (source: unknown), be extra cautious — treat it as untrusted code until verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791wh3j4ah1xfp0drvvj8jnd81ek75
558downloads
4stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
LUKSO Agent@luksoagent
latest
Download

Stakingverse LUKSO Staking Skill

Stake LYX on Stakingverse and receive sLYX (liquid staking token). Earn ~8% APY while keeping your assets liquid.

What This Skill Does

  • Stake LYX → Receive sLYX tokens immediately
  • Request unstake → Initiate withdrawal (requires oracle processing)
  • Claim unstaked LYX → After oracle processes withdrawal request
  • Check sLYX balance → View your staked position
  • Check claimable LYX → See if withdrawal is ready to claim

Required Credentials

Set these environment variables or edit the scripts:

export STAKINGVERSE_VAULT="0x9F49a95b0c3c9e2A6c77a16C177928294c0F6F04"
export MY_UP="your_universal_profile_address"
export CONTROLLER="your_controller_address"
export PRIVATE_KEY="your_controller_private_key"
export RPC_URL="https://rpc.mainnet.lukso.network"

Quick Start

# Stake 10 LYX
node scripts/stake.js 10

# Check sLYX balance
node scripts/balance.js

# Request unstake of 5 sLYX
node scripts/unstake-request.js 5

# Check if withdrawal is ready
node scripts/check-claim.js

# Claim unstaked LYX (after oracle processes)
node scripts/claim.js

How It Works

The Stakingverse Architecture

Stakingverse is a liquid staking protocol on LUKSO:

  • You stake LYX → Get sLYX tokens (1:1 ratio)
  • sLYX appreciates → As staking rewards accrue, 1 sLYX > 1 LYX
  • sLYX is liquid → Trade, transfer, or use in DeFi while earning
  • Unstaking is 2-step → Request → Wait for oracle → Claim

Key Contracts

ContractAddressPurpose
Vault0x9F49a95b0c3c9e2A6c77a16C177928294c0F6F04Staking/unstaking logic
sLYX Token0x8a3982f4abcdc30f777910e8b5b5d8242628290aLiquid staking token (LSP7)
OracleMultipleValidates withdrawal requests

Staking Flow

You (Controller)
    ↓
KeyManager.execute()
    ↓
UP.execute(CALL, Vault, 10 LYX, deposit())
    ↓
Vault receives LYX
    ↓
Vault mints sLYX to your UP
    ↓
You hold sLYX (earning rewards)

Unstaking Flow (Two-Step)

Step 1: Request Withdrawal
    You (Controller)
        ↓
    KeyManager.execute()
        ↓
    UP.execute(CALL, Vault, 0, withdraw(sLYX_amount))
        ↓
    Vault burns sLYX
        ↓
    Oracle queue: withdrawal request created

Step 2: Wait for Oracle
    ↓ (Time passes - oracle processes)

Step 3: Claim LYX
    You (Controller)
        ↓
    KeyManager.execute()
        ↓
    UP.execute(CALL, Vault, 0, claim())
        ↓
    Oracle approves
        ↓
    Vault sends LYX to your UP

Detailed Usage

Stake LYX

const { ethers } = require('ethers');

// Setup
const provider = new ethers.JsonRpcProvider(process.env.RPC_URL);
const wallet = new ethers.Wallet(process.env.PRIVATE_KEY, provider);

// Vault ABI (minimal)
const VAULT_ABI = [
  'function deposit() external payable',
  'function balanceOf(address) view returns (uint256)'
];

const LSP0_ABI = [
  'function execute(uint256 operation, address target, uint256 value, bytes calldata data) external'
];

const LSP6_ABI = [
  'function execute(bytes calldata payload) external payable returns (bytes memory)'
];

// Amount to stake
const stakeAmount = ethers.parseEther('10'); // 10 LYX

// Encode deposit call on Vault
const vaultInterface = new ethers.Interface(VAULT_ABI);
const depositData = vaultInterface.encodeFunctionData('deposit');

// Encode execute call on UP
const upInterface = new ethers.Interface(LSP0_ABI);
const executeData = upInterface.encodeFunctionData('execute', [
  0,                      // operation: CALL
  process.env.STAKINGVERSE_VAULT,  // target: Vault
  stakeAmount,            // value: LYX to stake
  depositData             // data: deposit()
]);

// Send via KeyManager
const keyManager = new ethers.Contract(process.env.KEY_MANAGER, LSP6_ABI, wallet);
const tx = await keyManager.execute(executeData);
const receipt = await tx.wait();

console.log(`Staked ${ethers.formatEther(stakeAmount)} LYX`);
console.log(`Transaction: ${receipt.hash}`);

Check sLYX Balance

const SLYX_ABI = ['function balanceOf(address) view returns (uint256)'];

const slyx = new ethers.Contract(
  '0x8a3982f4abcdc30f777910e8b5b5d8242628290a',
  SLYX_ABI,
  provider
);

const balance = await slyx.balanceOf(process.env.MY_UP);
console.log(`sLYX Balance: ${ethers.formatEther(balance)}`);

Request Unstake

const amountToUnstake = ethers.parseEther('5'); // 5 sLYX

// Encode withdraw call on Vault
const withdrawData = vaultInterface.encodeFunctionData('withdraw', [amountToUnstake]);

// Encode execute call on UP
const executeData = upInterface.encodeFunctionData('execute', [
  0,                              // operation: CALL
  process.env.STAKINGVERSE_VAULT, // target: Vault
  0,                              // value: 0 (no ETH sent)
  withdrawData                    // data: withdraw(amount)
]);

// Send via KeyManager
const tx = await keyManager.execute(executeData);
await tx.wait();

console.log(`Unstake requested for ${ethers.formatEther(amountToUnstake)} sLYX`);
console.log('Wait for oracle processing, then run claim.js');

Check Claimable LYX

const VAULT_FULL_ABI = [
  'function getClaimableAmount(address) view returns (uint256)',
  'function getPendingWithdrawals(address) view returns (uint256)'
];

const vault = new ethers.Contract(
  process.env.STAKINGVERSE_VAULT,
  VAULT_FULL_ABI,
  provider
);

const claimable = await vault.getClaimableAmount(process.env.MY_UP);
const pending = await vault.getPendingWithdrawals(process.env.MY_UP);

console.log(`Claimable LYX: ${ethers.formatEther(claimable)}`);
console.log(`Pending withdrawals: ${ethers.formatEther(pending)}`);

Claim Unstaked LYX

// Encode claim call on Vault (no parameters)
const claimData = vaultInterface.encodeFunctionData('claim');

// Encode execute call on UP
const executeData = upInterface.encodeFunctionData('execute', [
  0,
  process.env.STAKINGVERSE_VAULT,
  0,
  claimData
]);

// Send via KeyManager
const tx = await keyManager.execute(executeData);
const receipt = await tx.wait();

console.log(`Claimed LYX to your UP`);
console.log(`Transaction: ${receipt.hash}`);

Transaction Flow Reference

Standard Pattern: KeyManager → UP → Target

All transactions must follow this flow:

// 1. Encode the target contract call
const targetData = targetInterface.encodeFunctionData('functionName', [args]);

// 2. Encode UP.execute() wrapper
const upData = upInterface.encodeFunctionData('execute', [
  0,              // operation type (0 = CALL)
  targetAddress,  // target contract
  value,          // LYX to send (0 for most calls)
  targetData      // encoded function call
]);

// 3. Send via KeyManager
const tx = await keyManager.execute(upData);

Common Issues

"Insufficient permissions"

  • Your controller needs CALL and TRANSFERVALUE permissions
  • Check: keyManager.getPermissions(controllerAddress)

"Withdrawal not ready"

  • Oracle hasn't processed your request yet
  • Check claimable amount before calling claim()
  • Can take hours depending on oracle

"Invalid amount"

  • Trying to unstake more sLYX than you have
  • Check balance first: sLYX.balanceOf(UP_ADDRESS)

Important Notes

  • APY varies: Currently ~8%, but changes based on network conditions
  • sLYX is LSP7: Fungible token standard (like ERC20)
  • Rewards auto-compound: sLYX value increases, no need to claim
  • Oracle dependency: Unstaking requires oracle validation for security
  • Gas costs: Controller pays gas for all transactions

Resources

Comments

Loading comments...