clawmegle staking
Analysis
This staking skill is mostly aligned with its stated purpose, but it can spend or move crypto assets using wallet/API credentials and contains unsafe or inconsistent transaction scripting that users should review before installing.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"$SCRIPT_DIR/bankr.sh" "Approve $STAKING_CONTRACT to spend $AMOUNT CLAWMEGLE on Base"
...
"$SCRIPT_DIR/bankr.sh" "Submit this transaction on Base: {\"to\": \"$STAKING_CONTRACT\", \"data\": \"0xa694fc3a$(printf '%064x' $AMOUNT_WEI)\", \"value\": \"0\", \"chainId\": 8453}"The script asks Bankr to approve token spending and submit raw transaction calldata. That is purpose-aligned for staking, but it is high-impact financial mutation with no explicit confirmation or dry-run guard in the artifact.
# depositRewards(uint256) = 0x8bdf67f2
DEPOSIT_DATA="0x8bdf67f2${CLAWMEGLE_HEX}"This transaction script uses a depositRewards selector that conflicts with the reference file, which lists depositRewards(uint256) as `0x49bdc2b8`. Inconsistent calldata in a script that can send ETH/tokens is a material safety issue.
ETH_WEI=$(python3 -c "print(int(float('$ETH_AMOUNT') * 10**18))")
CLAWMEGLE_WEI=$(python3 -c "print(int(float('$CLAWMEGLE_AMOUNT') * 10**18))")User-supplied amount arguments are interpolated directly into Python code. If an agent passes an untrusted or malformed amount string, it can break out of the quoted value and execute arbitrary local Python code.
## Periodic Check (every 1-2 hours) ... If pending rewards exceed your threshold, claim them: ... ./scripts/claim-bankr.sh
The heartbeat guidance tells an agent to periodically check rewards and auto-claim above thresholds. This is disclosed and related to staking, but it is autonomous financial activity.
**Contract** | `0x56e687aE55c892cd66018779c416066bc2F5fCf4` (deployment pending) ... - **No admin keys** - Contract cannot be drained - **Audited patterns** - Uses OpenZeppelin + MasterChef accumulator
The skill makes strong safety claims while also describing the contract as deployment pending. The artifacts do not provide verification, an audit report, or a deployed-code check.
TX=$(cast send "$STAKING_CONTRACT" \
"stake(uint256)" "$AMOUNT_WEI" \
--rpc-url "$RPC" \
--private-key "$PRIVATE_KEY" \
--json)The registry requirements list curl, jq, and bc, but the direct-wallet scripts also rely on cast, and deposit-rewards.sh relies on python3. The missing declarations are not malicious by themselves, but they reduce install transparency.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
One of: - **Bankr API key** configured at `~/.clawdbot/skills/bankr/config.json` - **Private key** with ETH for gas on Base
The registry metadata says there is no primary credential and no required environment variable, but the skill requires either a transaction-capable Bankr API key or a wallet private key for signing financial transactions.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Track your staking state in `memory/clawmegle-staking.json`: ... "wallet": "0x...", "stakedAmount": "1000000000000000000000", "totalEthClaimed": "5000000000000000"
The skill suggests storing wallet address and staking/reward history in persistent agent memory. This is purpose-aligned, but it creates reusable financial context that should not be over-trusted or exposed.