Agent Skill
Security checks across malware telemetry and agentic risk
Overview
This skill is upfront that it plays a real-money blockchain game, but it would let an unreviewed, unpinned CLI use a wallet private key and make recurring on-chain transactions.
Install only if you understand that this skill can use real crypto funds. Use a brand-new low-balance wallet, verify the CLI and contract independently, avoid @latest where possible, revoke unlimited approvals when done, and do not enable auto or cron mode unless you are comfortable with recurring unattended transactions.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the npm package changes or is compromised, the agent could run unreviewed code in an environment that may contain the wallet private key and real funds.
The skill permits running a mutable external npm CLI package using @latest, while no package code or install spec is provided in the reviewed artifacts.
allowed-tools: ["Bash(npx last-ai-standing-cli@latest *)", "Bash(las *)"]
Only use a pinned, verified CLI version from a trusted source, review the package before use, and run it with a fresh low-balance wallet.
A mistake, compromised CLI, or unintended invocation could spend, swap, approve, or otherwise affect real wallet funds.
The skill asks the agent/CLI to use a private key controlling real ETH/USDC. The registry metadata does not declare a primary credential or required env var, so this high-impact authority is under-surfaced.
"This skill manages a self-custodial wallet with real funds on Base." ... "export BASE_PRIVATE_KEY=0x..."
Use a dedicated wallet with only funds you are willing to risk, never reuse a main wallet key, and confirm that the platform will not invoke the skill autonomously without your approval.
The approved contract can spend the wallet's USDC up to the maximum allowance, which could expose more funds than intended if the wallet is overfunded or the contract behavior is not trusted.
The CLI automatically grants an unlimited USDC allowance to the game contract before register and heartbeat commands, which is a high-impact financial permission with no stated cap.
"If insufficient, it approves `maxUint256` before proceeding."
Prefer a limited-allowance workflow, keep only small amounts in the wallet, and periodically revoke or inspect token approvals.
A cron or auto mode setup could keep making transactions until the wallet runs out of funds or the automation is stopped.
The skill documents recurring autonomous operation to keep the agent alive. This matches the game purpose, but it can continue spending funds if scheduled without limits.
"# Or use auto mode (recommended for cron)\nlas auto"
If using auto mode, set clear operational limits, monitor balances, and fund the wallet only with a small, dedicated amount.