Lsp28 Grid
Security checks across malware telemetry and agentic risk
Overview
The skill is purpose-aligned, but it asks for a Universal Profile controller private key and can submit on-chain profile updates without a built-in confirmation or declared credential requirement.
Install only if you are comfortable giving the workflow a Universal Profile controller key and letting it submit LUKSO transactions. Use a limited-permission key, verify all addresses and grid content, and add a manual approval or dry-run step before broadcasting updates.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent or script may be given a private key that can authorize changes through the Universal Profile Key Manager.
The skill asks for a controller private key and account-related addresses, but the registry metadata lists no required credentials or environment variables. A controller key is high-impact account authority even though it is used for the stated grid-management purpose.
export UP_PRIVATE_KEY="your_controller_private_key" export UP_ADDRESS="your_universal_profile_address" export KEY_MANAGER="your_key_manager_address"
Use a narrowly permissioned controller key if possible, avoid pasting high-value private keys into editable scripts, and verify the KeyManager and profile addresses before any transaction.
A mistaken or autonomous invocation could publish an unwanted grid update and spend transaction fees.
The script directly submits a KeyManager transaction to update the grid once invoked. It does not include a confirmation prompt, simulation, or dry-run before making a persistent on-chain change.
const tx = await keyManager.execute(setDataCalldata);
console.log('Transaction:', tx.hash);
const receipt = await tx.wait();Review the grid JSON, addresses, and transaction data before running the script; prefer adding a confirmation or dry-run step before submission.
The skill may not run until dependencies are installed, and dependency selection is left to the user environment.
The included script depends on the external ethers package, but the artifacts provide no package manifest, lockfile, or install specification. This is not suspicious by itself, but users must ensure they install a trusted version.
const { ethers } = require('ethers');Install ethers from a trusted package registry, pin the version, and use a lockfile if adapting this script.