Lsp28 Grid
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned, but it needs review because it asks for an undeclared blockchain controller private key and can immediately publish on-chain Universal Profile grid changes.
Use this only if you understand it can update your LUKSO Universal Profile grid on mainnet. Prefer a limited-permission controller key, verify the KeyManager and RPC endpoint, inspect any grid JSON and external URLs before broadcasting, and avoid using a high-value private key directly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent or script could use a sensitive controller key to mutate the user's Universal Profile; the actual permissions of that key are not bounded in the artifacts.
The skill requires a blockchain controller private key and KeyManager address to act on a Universal Profile, while the registry metadata declares no credential or required environment variables.
export UP_PRIVATE_KEY="your_controller_private_key" export UP_ADDRESS="your_universal_profile_address" export KEY_MANAGER="your_key_manager_address"
Use only a restricted controller key with the minimum LSP28/setData permission, verify the KeyManager and profile address manually, and ensure the skill metadata declares the required credential.
A mistaken grid file, wrong KeyManager, or autonomous agent invocation could overwrite public profile grid data and spend gas.
The script immediately sends a KeyManager transaction that writes the LSP28 grid data when the CLI path calls updateGrid, with no explicit confirmation, dry run, or target-profile verification shown.
const tx = await keyManager.execute(setDataCalldata);
console.log('Transaction:', tx.hash);
const receipt = await tx.wait();Add a dry-run/preview mode, require explicit user approval before broadcasting, validate the target network and KeyManager, and show the decoded grid data before sending the transaction.
Users may install an unpinned or unexpected ethers version to run the script.
The included script depends on ethers, but the supplied artifacts include no package.json, lockfile, or install specification to pin or declare that dependency.
const { ethers } = require('ethers');Provide a package.json and lockfile with a pinned ethers version, or document the exact trusted installation command.