Lukso Expert

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent instruction-only LUKSO reference skill, with user-directed blockchain examples that should be reviewed before copying or running.

This skill appears safe to use as a LUKSO reference. Before acting on its examples, verify contract addresses and endpoints against official LUKSO documentation, protect private keys and API keys, and require explicit human approval for deployments, permission changes, token transfers, follows/unfollows, or any command that runs a remote installer.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If copied into a live project and executed, examples like this can move funds or change blockchain state.

Why it was flagged

The reference includes copyable code for value-transferring on-chain calls. This is purpose-aligned for a blockchain developer guide, but users should not let an agent run or adapt such transactions without explicit review.

Skill content

await up.execute(
  0,
  recipient,
  ethers.parseEther("1.0"),
  "0x"
);

Recommendation

Use testnet first, verify recipient addresses and calldata, and require explicit approval before executing any transaction generated from this skill.

Low

#ASI03: Identity and Privilege Abuse

What this means

A leaked private key or overbroad controller permission can give someone control over a Universal Profile and its assets.

Why it was flagged

The examples show use of a private key and broad Universal Profile controller permissions. That is expected for LUKSO deployment guidance, but it is high-impact if used carelessly.

Skill content

accounts: [process.env.PRIVATE_KEY!], ... erc725.encodePermissions({ CHANGEOWNER: true, ... SUPER_TRANSFERVALUE: true, SUPER_CALL: true, ... EXECUTE_RELAY_CALL: true })

Recommendation

Keep private keys outside prompts and logs, prefer least-privilege permissions where possible, and review permission sets before deploying them.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If a user copies and runs the command, their shell will execute whatever the remote installer serves at that time.

Why it was flagged

The skill does not install or run this command, but the reference material includes a remote script piped directly to a shell.

Skill content

LUKSO CLI | `curl https://install.lukso.network | sh` — node/validator setup

Recommendation

Inspect installer scripts before running them, use official documentation links, and avoid executing remote shell installers automatically.