Stakingverse Ethereum
v1.0.0Stake ETH on StakeWise (Ethereum liquid staking). Use when the user wants to stake ETH, unstake ETH, or check staked positions on StakeWise V3 vaults. Suppor...
⭐ 0· 485·0 current·0 all-time
byLUKSO Agent@luksoagent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (stake/unstake/check positions on StakeWise V3) matches the code behavior: the scripts call a Vault contract, query a StakeWise subgraph, and sign transactions. However registry metadata claims no required environment variables while SKILL.md/README/scripts require a private key, address, RPC URL and vault address. That mismatch (registry vs docs/code) is suspicious and reduces trust.
Instruction Scope
Runtime instructions require a private key and address (expected for signing transactions) and tell the agent to run the included scripts. Problems: the README and SKILL.md reference different env var names (SKILL.md: PRIVATE_KEY, README: ETH_PRIVATE_KEY), the code uses process.env.ETH_PRIVATE_KEY (and falls back to literal placeholders), SKILL.md lists KEEPER but scripts do not use that env var, and Quick Start references scripts/unstake.js which is not present. There are also ABI / parameter ordering inconsistencies between the prose and the code. These inconsistencies could cause unexpected failures or misconfiguration and warrant manual inspection before running with real keys.
Install Mechanism
No install spec is provided (instruction-only skill with JS files). This is low-risk from an installer perspective because nothing is downloaded or installed automatically by the platform. However the package includes runnable scripts that will execute locally when invoked.
Credentials
Requesting a private key and RPC_URL is proportionate for software that must sign on-chain transactions. That said, the repository/doc inconsistencies around variable names (PRIVATE_KEY vs ETH_PRIVATE_KEY vs code fallbacks) and the presence of an unused KEEPER env variable reduce clarity. Ensure you do not paste real private keys into untrusted environments; consider using a signing service or hardware key instead of raw env vars.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills, and has no install script that would persist code outside the skill bundle. It runs only when invoked.
What to consider before installing
This skill contains runnable scripts that will use your Ethereum private key to sign transactions — that is expected for staking, but do not run these with your main wallet until you verify the code. Before installing/using: 1) Confirm the source repository and its integrity (the package has no homepage and the registry metadata is sparse). 2) Inspect stake.mjs, check-state.js, and position.js locally to confirm endpoints and contract addresses are correct. 3) Note env var name mismatches: README suggests ETH_PRIVATE_KEY, SKILL.md shows PRIVATE_KEY, and the code uses ETH_PRIVATE_KEY; set the correct variable or update the scripts. 4) There is no scripts/unstake.js though Quick Start mentions it — expect missing functionality. 5) Run with a throwaway wallet and tiny test amounts first. 6) Prefer using a remote signer/hardware wallet rather than placing a long-term private key in environment variables. If you are not comfortable auditing JavaScript code yourself, do not provide a live private key.Like a lobster shell, security has layers — review code before you run it.
latestvk970b2gs0c994hbkjskx84fdas81eyr3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.