Agent Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: last-ai-standing Version: 0.1.3 The skill is designed to interact with a DeFi game involving real funds on the Base blockchain, which is inherently high-risk. It is classified as suspicious due to the broad `allowed-tools` permission (`Bash(npx last-ai-standing-cli@latest *)`) in `SKILL.md`, which allows the agent to execute the `las` CLI with arbitrary arguments, creating a significant attack surface for potential prompt injection or command injection if the agent's input is not strictly controlled. Additionally, the `las` CLI automatically grants `maxUint256` USDC allowance to the contract, a high-privilege action, and the `las identity register` command can create public GitHub Gists, involving network outbound calls and public data sharing. While these actions are presented as part of the skill's legitimate functionality, they represent powerful capabilities that could be abused, even if no explicit malicious intent is present in the provided instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, CLI, environment, or logs mishandle the private key, the wallet’s funds could be lost or stolen.
The skill requires access to a private key controlling real funds. That is high-impact account authority, and the registry metadata does not declare a primary credential or required environment variable.
**This skill manages a self-custodial wallet with real funds on Base.** ... Store `BASE_PRIVATE_KEY` only in environment variables or secured config files
Use only a dedicated burner wallet with limited funds, keep the key out of chat/logs, and treat BASE_PRIVATE_KEY as a high-risk credential even though the registry metadata does not declare it.
The wallet may grant the contract very broad spending allowance for USDC, increasing loss exposure if the contract, CLI, or workflow behaves unexpectedly.
Automatic maximum USDC approval is a broad financial permission. The artifact does not show a safer cap, explicit per-use approval, or clear revocation guidance.
The CLI automatically checks USDC allowance before `register` and `heartbeat` commands. If insufficient, it approves `maxUint256` before proceeding.
Prefer limited allowances, verify the contract independently, use a small funded wallet, and revoke allowances when finished.
A changed or compromised CLI release could run different code than what the user expected, with access to the wallet key and transaction authority.
The skill permits execution of an unpinned '@latest' npm CLI, while no code files or install spec are included for review. That mutable external code would handle wallet keys and blockchain transactions.
allowed-tools: ["Bash(npx last-ai-standing-cli@latest *)", "Bash(las *)"]
Pin the CLI to a reviewed version, verify its package provenance/source, and avoid running mutable '@latest' tooling with private keys.
The agent could continue making transactions and spending gas/USDC over time if scheduled without external controls.
The skill encourages recurring automated operation for a game that requires ongoing payments, but the visible artifact does not define spending caps, stop conditions, or monitoring requirements.
# Or use auto mode (recommended for cron) las auto
Do not enable auto/cron mode unless you set strict wallet funding limits, monitoring, and a clear stop/revocation plan.