Agent Skill
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed blockchain game, but it asks an agent to control a real crypto wallet, grant very broad USDC approval, and potentially run an unpinned CLI automatically.
Only install this if you understand it gives the agent practical control over a crypto wallet. Use a fresh, low-balance wallet, pin and review the CLI, avoid unlimited approvals where possible, and do not enable auto/cron mode unless you set clear spending limits and stop conditions.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key or wallet authority is mishandled, the user can lose real cryptocurrency funds.
The skill explicitly uses a private key for a real crypto wallet, which gives the agent authority to spend funds and sign blockchain transactions.
**This skill manages a self-custodial wallet with real funds on Base.** ... Store `BASE_PRIVATE_KEY` only in environment variables or secured config files
Use only a dedicated low-balance wallet, never a main wallet, and verify that credential requirements and private-key handling are acceptable before installing.
The agent may authorize broad USDC spending, not just one heartbeat or registration payment.
Automatic unlimited token approval is much broader than a single payment and can expose all approved USDC to contract or CLI misuse.
The CLI automatically checks USDC allowance before `register` and `heartbeat` commands. If insufficient, it approves `maxUint256` before proceeding.
Prefer capped allowances, review the contract and CLI code, and set a small dedicated wallet balance before allowing these commands.
A future or compromised CLI release could handle the wallet private key and transactions differently from what the skill describes.
The skill permits running an unpinned @latest CLI package through Bash, while the provided artifact set contains no reviewed CLI code.
allowed-tools: ["Bash(npx last-ai-standing-cli@latest *)", "Bash(las *)"]
Pin the CLI to a reviewed version and inspect the package source before using it with a funded wallet.
The agent could continue spending USDC and gas over time to stay alive in the game.
The skill encourages a recurring autonomous mode for ongoing gameplay, but the visible instructions do not define budget limits, user confirmations, or a stopping condition.
# Or use auto mode (recommended for cron) las auto
Run auto mode only with explicit user approval, a limited wallet balance, and clear stop conditions.