a2a-Market-Stake-Freeze
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent with its stated stake-policy purpose, but users should review the high-impact stake slashing logic and the unsupported claim about missing runtime code before relying on it.
This skill is safe to treat as policy-design guidance rather than executable code. If you use it to build real stake locking or slashing behavior, add explicit human or policy approval for penalties, strong audit trails, evidence validation, timeout safeguards, and review any separately provided runtime files before trusting implementation or test claims.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If implemented incorrectly, the policy could lock, release, or slash participant stake in ways that affect money, collateral, or market participation.
The skill instructs implementation of stake mutation and automatic penalty decisions. This is aligned with the stated stake-policy purpose, but it is high-impact business logic that should have strong approval, testing, audit, and rollback controls in the consuming project.
`slash_stake(lock_id, reason, evidence)` applies penalty and emits incident log. `evaluate_timeout_locks(now_ts)` handles automatic release/slash decisions.
Before using it in production, require explicit authorization boundaries, deterministic tests, audit logs, evidence validation, and a safe dispute or rollback process for slashing decisions.
A user might assume there is reviewed runtime code and test coverage when the supplied package is actually instruction-only.
The provided manifest contains only SKILL.md and no runtime files, so the claimed implementation and tests are not present in the reviewed artifact. This appears to be a documentation/provenance gap rather than evidence of malicious behavior.
Status: implemented in local runtime package. Primary code paths: `runtime/src/domain/stake-policy.js` ... Validation: covered by `runtime/tests` and `npm test` in `runtime/`.
Do not rely on the referenced runtime implementation or tests unless those files are separately supplied and reviewed.