Kelp Forest
v1.0.0Autonomously stake MOLT or V3 LP NFTs on Base to earn KELP rewards, auto-harvest for others, and receive 3.5% keeper fees.
⭐ 0· 876·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements an on-chain yield-farming agent for the Base network (registering an agent, approving MOLT, depositing, harvesting, keeper loop). That functionality matches the implied name, but the package metadata provides no description, no source/homepage, and does not declare the sensitive credential (WALLET_KEY) the instructions require.
Instruction Scope
Instructions explicitly require a private key via WALLET_KEY, call contract methods that can move funds (approve, deposit, withdraw), and recommend approving a very large allowance (parseUnits('999999999',18)). Approving unlimited allowances and running deposit/withdraw operations are expected for such an agent but are high-risk actions and should be clearly surfaced in metadata and documentation; the skill does not.
Install Mechanism
This is instruction-only (no install spec or code files). It asks users to run 'npm install ethers' and run the provided node scripts — expected and low-risk from an installer perspective because no arbitrary remote downloads or extract steps are specified.
Credentials
The runtime requires a wallet private key (WALLET_KEY) and a funded wallet, but the registry lists no required env vars or primary credential. Requesting a high-privilege secret (private key) is proportionate to the task only if documented; omission from metadata is an incoherence and a security concern. The instructions also suggest very large token approvals which are disproportionate unless justified.
Persistence & Privilege
The skill does not request always:true or any platform-level persistence and is instruction-only. However, if an agent or platform were given a private key and allowed autonomous invocation, the combination would enable automated transfers — users should be aware of the risk of giving any agent private key access.
What to consider before installing
This skill contains runnable scripts that require your wallet private key and will approve/deposit tokens on the Base network. Before using it: (1) Do not paste or export your main/private wallet key into an untrusted environment — prefer an ephemeral wallet or a hardware wallet. (2) Verify the smart contract addresses and inspect the contract code on a block explorer (ensure the FOREST contract is audited/trusted). (3) Never approve unlimited allowances; change the approve amount to a minimal needed value and/or revoke allowances after use. (4) Require the publisher to add metadata: declare WALLET_KEY as a required env var, provide source code repository and homepage, and explain why large approvals are necessary. (5) Test on a testnet or with a small amount first. (6) If the agent platform would run skills autonomously, avoid supplying long-lived private keys to the platform. These inconsistencies (missing required-env declaration, no source/homepage, and risky default approvals) are why I rate the skill as suspicious; additional publisher/source information and metadata fixes would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk975etfdvprsvzpwjj39r74vnh80t40p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.