Stakingverse Ethereum
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is aligned with StakeWise staking, but it asks for a raw Ethereum private key and can broadcast mainnet staking transactions without declared credential requirements or an explicit confirmation safeguard.
Only use this with a dedicated wallet containing funds you are willing to stake, never with your main wallet private key. Verify the StakeWise vault address, network, repository, and dependencies first. Do not run the staking command unless you have reviewed the exact amount, receiver address, gas cost, and understand that the included artifacts do not provide the advertised unstake script.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a real wallet key, the skill can sign transactions from that wallet. A mistake or compromise could put the wallet’s ETH and tokens at risk.
The code reads a raw Ethereum private key and uses it to create a signing wallet. That key grants broad control over the wallet, while the registry metadata lists no required env vars or primary credential.
const PRIVATE_KEY = process.env.ETH_PRIVATE_KEY || 'YOUR_PRIVATE_KEY'; ... const wallet = new ethers.Wallet(PRIVATE_KEY, provider);
Use a dedicated low-balance staking wallet, prefer wallet-based signing over raw private keys, and require the skill metadata to declare the private-key credential clearly.
Running the script with a real key can immediately stake the specified amount of ETH on mainnet, including any gas costs, and blockchain transactions are not easily reversible.
The script broadcasts a value-bearing Ethereum mainnet staking transaction and waits for confirmation. This is purpose-aligned, but the artifacts do not show a required user confirmation or transaction review step before sending funds.
const tx = await vault.updateStateAndDeposit(
MY_ADDRESS,
deadline,
harvestParams,
{ value: amountWei }
);
...
const receipt = await tx.wait();Before any transaction, require an explicit user approval that shows the amount, vault address, receiver address, network, estimated gas, and expected result.
A user may stake funds believing the same skill can help them exit later, but the included files do not provide that unstaking path.
The skill advertises unstaking and references scripts/unstake.js, but the provided file manifest includes only check-state.js, position.js, and stake.mjs. The unstake capability is therefore not supported by the supplied artifacts.
- **Unstake ETH** → Burn osETH for ETH ... # Unstake 0.05 osETH node scripts/unstake.js 0.05
Add and review the unstake implementation, or remove the unstake claims so users understand the skill only stakes and checks positions.
Installing or running unreviewed code or dependencies in a wallet-key workflow can increase the chance of supply-chain compromise.
The README directs users to clone a repository and install ethers without a lockfile or pinned version in the provided artifacts. This is normal setup documentation, but provenance matters more because the scripts handle wallet keys and financial transactions.
git clone https://github.com/LUKSOAgent/stakingverse-ethereum-skill.git cd stakingverse-ethereum-skill npm install ethers
Verify the repository, pin dependencies with a lockfile, and avoid entering private keys until the exact code and dependency versions have been reviewed.