Bifrost Slpx Stake
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user exposes a main wallet private key, mistaken or unsafe agent actions could move, stake, redeem, or lock funds on-chain.
A raw Ethereum private key gives broad wallet signing authority, not just narrow permission to interact with Bifrost. The registry also declares no primary credential, making this high-impact authority easy to overlook.
`BIFROST_PRIVATE_KEY` | Private key for agent-side signing ... When `BIFROST_PRIVATE_KEY` is set, the agent can sign and broadcast transactions directly using `cast send`.
Prefer manual or hardware-wallet signing. If agent-side signing is used, use a dedicated low-balance wallet, restrict funded assets, and require explicit review of chain, contract, receiver, amount, gas, and calldata before every transaction.
A wrong chain, contract, amount, private key, or receiver could cause loss of funds or queue assets for redemption in a way the user did not intend.
The skill instructs the agent to use a raw transaction-sending tool for irreversible financial operations. In the provided excerpt, this is not paired with visible mandatory approval or bounded execution rules.
**Write transactions** — use `cast send` (requires wallet): ... `depositWithETH()` --value <AMOUNT_IN_WEI> ... --rpc-url <RPC_URL> --private-key <PRIVATE_KEY>
Before any broadcast, require user confirmation of exact transaction fields, simulate/read-preview where possible, verify the contract address from official Bifrost sources, and never auto-send based only on inferred intent.
Users may rely on unverified contract addresses or operational guidance for real financial transactions.
For a skill that tells the agent how to send funds to specific smart-contract addresses, missing source and homepage provenance materially reduce the user's ability to verify that the instructions are official and current.
Source: unknown; Homepage: none
Verify the contract addresses and workflow against official Bifrost documentation before use. The publisher should provide a verified source repository/homepage and signed or auditable release provenance.