ClawHub
Back to skill
v1.0.3

INCLAWNCH UBI Staking

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:50 AM.

Analysis

This is a coherent staking skill, but users should verify contract details and transaction amounts before signing any wallet actions.

GuidanceInstall only if you intend to interact with this specific Base staking contract. For any write action, verify the chain, contract, token, function, and amount in your wallet before signing, and consider independently checking the contract and project provenance.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Two-step process — both are on-chain transactions signed by the wallet: ... approve(address spender, uint256 amount) ... stake(uint256 amount)

The skill provides transaction details for token approval and staking. This is expected for a staking skill, but transaction construction for financial assets is high-impact if used with the wrong amount or contract.

User impactA mistaken or unintended wallet transaction could approve token spending, stake tokens, unstake, claim, or exit a position.
RecommendationBefore signing, verify the chain, contract address, token address, function, and amount shown in the wallet prompt.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown

The registry does not identify a source repository. There is no installable code here, but provenance matters more for a skill that points users to financial smart-contract interactions.

User impactUsers have less registry-level provenance for verifying who authored the staking instructions.
RecommendationIndependently verify the project website, contract address, and token address before using the skill for real transactions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
All write operations are signed transactions sent to the InclawnchStaking contract on Base. Each requires the caller's wallet to sign

The skill relies on the user's wallet authority for on-chain writes. This is purpose-aligned and disclosed, but wallet signatures are delegated account authority.

User impactSigning a transaction uses your wallet identity and can change your token balances, staking position, or contract settings.
RecommendationUse a wallet with only the funds you intend to stake, and do not sign transactions you did not explicitly request.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
curl "https://inclawbate.com/api/inclawbate/staking?wallet=0xYourWallet"

Wallet-position lookups send the queried wallet address to the public inclawbate.com API. This is disclosed and aligned with the read feature, but wallet addresses can be linkable personal or financial identifiers.

User impactThe API provider can see which wallet address was queried.
RecommendationOnly query wallet addresses you are comfortable sharing with the API provider, or prefer direct on-chain reads when privacy matters.